Splunk Integration Guide
Logster Support's product materials list the Splunk Universal Forwarder as one of the supported endpoint log shippers for both Windows and Linux environments. This page is a placeholder for the step-by-step integration procedure.
For the complete list of supported ingestion agents, see Key Features: Data Ingestion.
Status
TBD — this guide is a stub.
A canonical Splunk integration procedure for Logster has not yet been documented and verified. Do not follow speculative steps here — the exact path for getting Splunk-collected events onto Logster's Kafka topics depends on your Splunk topology and on Logster Support's published integration guidance.
Contact Logster Support Customer Services or the engineering team for a supported integration pattern, then populate this guide with a procedure that has been tested end-to-end in a real deployment.
What this guide should cover
When this stub is filled in, it should document:
- Architecture. How events flow from the endpoint Splunk Universal Forwarder to Logster's raw Kafka topics — including any intermediate components (Heavy Forwarder, HEC, bridge service, Splunk Connect for Kafka, etc.).
- Prerequisites. Exact Splunk, UF, and Logster versions verified to interoperate. Any required add-ons.
- Sysmon collection configuration. The
inputs.confstanzas that collect the Sysmon operational channel in the event shape Logster's normalizer expects (services/normalizer/). - Linux auditd and eBPF collection. Equivalent instructions for Linux endpoints.
- Kafka target configuration. How the chosen bridge or
forwarder is pointed at
kafka.brokersfrom deploy/service-config.yaml, with SASL/SSL credentials in production — see Security Guide: Configuration. - Topic mapping. Which Splunk source maps to which Logster raw topic:
| Source | Logster topic |
|---|---|
| Windows Sysmon | sysmon-logs |
| Linux auditd | linux-auditd-logs |
| Linux eBPF — processes | linux-ebpf-process-logs |
| Linux eBPF — files | linux-ebpf-file-logs |
| Linux eBPF — network | linux-ebpf-network-logs |
(The topic names above are verified against
deploy/service-config.yaml.)
- Event shape requirements. The exact JSON / serialized form
Logster's normalizer accepts on each raw topic. Confirm by
reading
services/normalizer/src/logster_normalizer/parsers.py
or by tailing the normalizer container's logs for parse
errors.
- End-to-end verification. Commands to confirm events are
arriving in logster-events and inferences are landing in
logster-inferences.
- Troubleshooting. Splunk-specific failure modes that don't
appear in the general
Troubleshooting Guide.
Alternatives to Splunk UF
In environments without an existing Splunk deployment, the other supported ingestion agents may be simpler:
- Elastic Winlogbeat — Windows-native, ships to Kafka via its Kafka output.
- rsyslog — Linux-native, with the
omkafkaoutput module. - syslog-ng — the other widely-deployed Linux syslog daemon, with a Kafka destination driver.
- Windows Subscription Logging — forwarded Windows Event Collector subscriptions.
See Key Features: Data Ingestion for the full list from Logster Support's product materials.
Custom integrations
Logster Support's product materials note that the engineering team can be engaged for custom loggings and integrations for security big-data collections. For Splunk topologies that do not fit a standard pattern, contact Logster Support Customer Services with your topology diagram and a sample of your current Sysmon / auditd events.
Where to go next
- Admin Guide: Installation — stand up a Logster stack before attempting integration.
- Key Features: Data Ingestion — the full ingestion agent matrix.
- Troubleshooting Guide — general pipeline failure modes.