DocumentationAPI ReferenceRelease Notes
Documentation

Splunk

Suggest Edits

IT administrators using Splunk can now integrate BeyondTrust Privileged Remote Access (PRA) to strengthen access control, identify and prioritize threats seamlessly in real time, and remediate incidents proactively.

The BeyondTrust PRA integration helps safeguard your business by giving you complete visibility into activity across the IT infrastructure, including external threats such as malware hackers, internal threats such as data breaches and fraud, risks from application flaws and configuration changes, and compliance pressures from failed audits.

Through the integration, session event data captured through BeyondTrust PRA's rich logging capability is populated into Splunk's platform, and reports are provided for security review.

Prerequisites

Confirm software versions

Using this integration requires the following software and versions:

  • A currently supported version of BeyondTrust Privileged Remote Access.
  • Splunk On-Premises or Cloud: 6.3.0 or newer.

Review network considerations

The following network communication channels must be open for the integration to work properly:

Outbound FromInbound ToTCP Port #Purpose
Splunk ServerBeyondTrust Appliance B Series443Session event data pulled from the Reporting API
BeyondTrust Appliance B SeriesSplunk Server514Syslog event information from the B Series Appliance

Configure Privileged Remote Access

The Splunk integration supports consumption of syslog output directly from the B Series Appliance.

Create the syslog feed

  1. Sign into BeyondTrust B Series Appliance.
    Your URL is the hostname of your B Series Appliance followed by /appliance (for example, https://support.example.com/appliance).

  2. From the top menu, click Security > Appliance Administration.
    The Syslog page displays.
    The image below is modified to show only the relevant Syslog section on the page.

    The interface displays options for configuring Syslog settings, including fields for the Syslog server address, message format, port, and an option to upload a trusted certificate.

  3. In the Syslog section, enter the hostname or IP address for your Remote Syslog Server.

  4. Select your preferred message format.

  5. Click Submit.
    The syslog feed is created.

Verify the API is enabled

This integration requires the BeyondTrust XML API to be enabled. This feature is used by the Splunk app to communicate with the BeyondTrust APIs.

Go to /login > Management > API Configuration and verify that Enable XML API is checked.

Create an OAuth API account

The Splunk API account is used from within Splunk to make Privileged Remote Access Command API calls to Privileged Remote Access.

  1. In /login, navigate to Management > API Configuration.

  2. Click Add.

  3. Check Enabled.

  4. Enter a name for the account.

  5. OAuth Client ID and OAuth Client Secret are used during the OAuth configuration step in Splunk.

  6. Under Permissions, check the following:

    • Command API: Full Access.
    • Reporting API: Allow Access to Support Session Reports and Recordings, and Allow Access to Presentation Session Reports and Recordings.

  7. Click Save at the top of the page to create the account.

Configure Splunk

The integration application is available in the Splunkbase. You must log in to your Splunk account to download the application.

Once the new application is installed, follow these steps in the app to configure it:

  1. In the list of Splunk Apps, click the new BeyondTrust Privileged Remote Access option.

  2. On the BeyondTrust Privileged Remote Access Inputs page, click Create New Input.

  3. Enter the required input information:

    • Name: Desired unique input name.
    • Interval: Desired polling interval. A short polling interval can result in poor performance. At least 60 seconds is recommended.
    • Index: Must be beyondtrust_pra. Create this index if it does not already exist.
    • PRA Site hostname: Your Privileged Remote Access hostname. Do not include the protocol (https://) or other URL components. This value must be the hostname only. For example, support.example.com.
    • Client ID: Your previously configured Client ID.
    • Client Secret: Your previously configured Client Secret.

  4. Click Add.

Troubleshooting


Selected timeframe is incorrect

Ensure the selected timeframe is correct and verify that sessions have ended or administrative actions are taken within that timeframe.

To do this, click Show Filters and make sure that the timeframe you've chosen is one in which data should exist.

Input interval is not completed

Ensure that the input interval has run since the data you're expecting to see was generated. This only applies to session data / events.

For example, if you ran a test session that ended one minute ago but the input is set to run every two minutes (120 seconds), it's possible that the app simply hasn't queried for new data since your test session ended.

Verify index data that uses queries

Check the indexed data behind the queries. To do this, hover with your mouse over any dashboard section, click Open in Search. This lets you see the actual query and events that are fed into a section. You can expand your search by expanding the timeframe, editing the query to remove some of the filters, or both.

Administrative actions are missing

If you seem to be missing events that represent administrative actions, verify your Syslog configuration on the appliance as well as the corresponding input in Splunk.

ℹ️

An administrative action for the purpose of this question is either a login or logout process or any time a configuration change that takes place on the BeyondTrust instance.

Events are missing within a session

If you seem to be missing events that represent actions within a session and have verified the things that apply to this source of data, it may be helpful to check the Splunk App's logs.

  • On a Splunk Enterprise site where you have access to the file system, you can find the actual log file under the Splunk install directory or a path similar to:

<path_to_splunk_install>\var\log\splunk\beyondtrust_pra_integration_beyondtrust_pra_reporting_api_session_events.log

  • On a Splunk Cloud site or if you don't have access to the file system for a Splunk Enterprise deployment, application logs should be indexed and searchable via the standard Search and Reporting interface in Splunk.

To do this, navigate to that app, select an appropriate timeframe, and enter the following basic search query:

index="_internal" sourcetype="beyondtrustpraintegration:log"

ℹ️

You should have the app's log level set to DEBUG to get the best results. To set the level, go to the Configuration tab on the app.

Updated 16 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.