One of the best features of Splunk is the ability to configure a nearly endless amount of actions based on your log data. This tutorial will guide you through a simple example of using a Webhook action in Splunk to notify users upon a successful authentication to a system.
The environment we’ll be using is the one that’s built out in my Splunk course, “Getting to Know Splunk: The Hands-On Administration Guide”. If you haven’t taken this and want to learn more about how to get started with Splunk, I’d highly recommend checking it out.
For those who prefer a more audio-visual style of learning, I’ve created a screencast that walks you through this process as well!
Suppose you have a server you manage and you know you should be the only user with any SSH access to the machine. Therefore, you want to be notified of any successful logins to this machine. Also, since you believe in living dangerously, you don’t have a host firewall configured on this system. We won’t question your motives, but assume you have a good reason to do this.
A Splunk environment containing the data you want to alert on:
- For this example, we’ll be using the Ubuntu authentication log at /var/log/auth.log.
An available Webhook to catch your alert:
- A webook is a mechanism to allow one app to send information to another in real-time. This allows data (in this case, from Splunk) to be pushed to some other application as soon as a relevant search or alert finishes running.
- For this example, I’ll be using Zapier (https://zapier.com/).
Let’s Get Started
Splunk makes this process pretty easy. Here’s how you do it:
1. Verify that your data is in Splunk, and write a search that will serve as the trigger to your alert.
In this example, the search below would cover what we’re looking for: