DocumentationRelease Notes
Log In
Documentation

Splunk

Suggest Edits

How is the Splunk integration useful?

IT administrators using Splunk can integrate BeyondTrust Remote Support (RS) to strengthen access control, identify and prioritize threats seamlessly in real time, and remediate incidents proactively.

Through the integration, security events generated by Remote Support and appliance interfaces and any clients that generate syslog messages (such as the representative console) are captured through BeyondTrust Remote Support's rich logging capability. This integration securely populates this data into Splunk's platform, and reports are provided for security review.

Prerequisites

Software versions

Using this integration requires the following software and versions:

  • A currently supported version of BeyondTrust Remote Support. To confirm your version is supported, contact Support or refer to the BeyondTrust End of Life Policy.
  • Splunk On-Premises or Cloud: 6.3.0 or newer.

Network considerations

The following network communication channels must be open for the integration to work properly:

Outbound FromInbound ToTCP Port #Purpose
Splunk ServerBeyondTrust Appliance B Series443Session event data pulled from the Reporting API
BeyondTrust Appliance B SeriesSplunk Server6514Syslog event information from the B Series Appliance

Configure Remote Support

The Splunk integration supports consumption of syslog output directly from the B Series Appliance.

To enable this, follow the steps below to create the syslog feed, verify the API is enabled, and create an OAuth API account.

Create the syslog feed

  1. Sign into your your Remote Support appliance (B Series Appliance for Remote Support On-Premises users, or the virtual appliance for Remote Support Cloud users).

  2. From the top menu, click Security > Appliance Administration.
    The Syslog page displays.
    The image below is modified to show only the relevant Syslog section on the page.

  3. In the Syslog section, enter the hostname or IP address for your Remote Syslog Server.

  4. Select your preferred message format.

    ⚠️

    We highly recommend Syslog over TLS.

  5. For Syslog over TLS message formats:

    1. Obtain the trusted certificate configured for your Splunk listener/input .
    2. Click Choose File.
    3. Navigate to your trusted certificate.
    4. Click Open.
      The file uploads to the site.

      📘

      Note

      Because Splunk Cloud does not natively support inputs, you must use a forwarder (such as Splunk's Universal Forwarder.

      Refer to Splunk documentation and support for guidance on configuring a certificate for the input or forwarder.

  6. Click Submit.
    The syslog feed is created.

Verify the API Is enabled

This integration requires the BeyondTrust XML API to be enabled. This feature is used by the BeyondTrust Middleware Engine to communicate with the BeyondTrust APIs.

  1. Sign into Remote Support for Admins.

  2. From the left menu, click Management.
    The Management page displays.

  3. From the top menu, click API Configuration.
    The API Configuration page displays.

  4. Verify that Enable XML API is checked.

Create an OAuth API account

The Splunk API account is used from within Splunk to make Remote Support Command API calls to Remote Support.

  1. Sign into Remote Support for Admins.

  2. From the left menu, click Management.
    The Management page displays.

  3. From the top menu, click API Configuration.
    The API Configuration page displays.

  4. In the API Account section, click Add.
    The Add API Configuration page displays.

  5. Check Enabled.

  6. Enter a name for the account.

    📘

    Note

    OAuth Client ID and OAuth Client Secret is used during the OAuth configuration step in Splunk.

  7. Under Permissions, select the following:

    • Reporting API: Allow Access to Support Session Reports and Recordings and Allow Access to Presentation Session Reports and Recordings

  8. Click Save at the top of the page.
    The OAuth API account is created.

Configure Splunk

The integration application is available in the Splunkbase. You must log in to your Splunk account to download the application.

Once the new application is installed, follow these steps in the app to configure it:

  1. In the list of Splunk Apps, click the new BeyondTrust Remote Support option.
  2. On the BeyondTrust Remote Support Inputs page, click Create New Input.
  3. Enter the required input information:
    • Name: Desired unique input name.
    • Interval: Desired polling interval. A short polling interval can result in poor performance. At least 60 seconds is recommended.
    • Index: Must be beyondtrust_rs. Create this index if it does not already exist.
    • RS Site hostname: Your Remote Support hostname. Do not include the protocol (https://) or other URL components. This value must be the hostname only. For example, support.example.com.
    • Client ID: Your previously configured Client ID.
    • Client Secret: Your previously configured Client Secret.
  4. Click Add.

Updated 5 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.