Audit Stream → Splunk HEC¶
Forward every Aegis audit event into Splunk via the HTTP Event Collector (HEC). Paste-and-go: no Splunk app to install, no custom forwarder, no search-time field extractions required (Splunk auto-extracts the JSON).
What you'll need¶
| Splunk HEC URL | https://<your-splunk-host>:8088/services/collector/event |
| HEC token | Splunk Web → Settings → Data Inputs → HTTP Event Collector → New Token |
| Index | Any index your HEC token has write access to (e.g. aegis_audit) |
1. Create the HEC token in Splunk¶
In Splunk Web:
- Settings → Data Inputs → HTTP Event Collector → New Token
- Name:
aegis-audit-stream - Source type:
_json(or create a new sourcetypeaegis:auditand map it to the_jsonsource type for nicer field display) - Index:
aegis_audit(or your preferred index) - Enable indexer acknowledgment: off (Aegis does its own delivery confirmation via 2xx response)
- Copy the token — you'll paste it into Aegis next.
If you haven't enabled HEC globally yet: Settings → Data Inputs → HTTP Event Collector → Global Settings → All Tokens: Enabled.
2. Configure the Aegis destination¶
curl -X POST https://api.aegispreflight.com/api/orgs/${ORG_ID}/forwarding-destinations \
-H "Authorization: Bearer ${AEGIS_API_KEY}" \
-H "Content-Type: application/json" \
-d '{
"url": "https://splunk.example.com:8088/services/collector/event",
"auth_header_name": "Authorization",
"auth_header_value": "Splunk YOUR-HEC-TOKEN-UUID-HERE"
}'
Note the Splunk prefix
Splunk HEC expects Authorization: Splunk <token> — the literal word
Splunk followed by a space, then your HEC token.
3. Test the wiring¶
curl -X POST \
https://api.aegispreflight.com/api/orgs/${ORG_ID}/forwarding-destinations/${DEST_ID}/test \
-H "Authorization: Bearer ${AEGIS_API_KEY}"
Expected:
Then in Splunk search:
You should see one event with aegis.test=true and the message
If you can read this, your Aegis Audit Stream is wired up.
Sample Splunk searches¶
Once real audit events are flowing:
# All preflight decisions in the last hour
index=aegis_audit aegis.decision=* earliest=-1h
| stats count by aegis.decision
# SSN detections by source
index=aegis_audit aegis.finding_counts_by_type.SSN>0
| stats sum(aegis.finding_counts_by_type.SSN) AS ssns_detected by aegis.source_type
# Blocked events with policy attribution
index=aegis_audit aegis.decision=BLOCKED
| table _time, aegis.actor_id, aegis.destination, aegis.policy_id, aegis.summary
# Per-user PII exposure over 24h
index=aegis_audit aegis.actor_id=* earliest=-24h
| stats sum(aegis.finding_counts_by_type.SSN) AS ssn,
sum(aegis.finding_counts_by_type.EMAIL) AS email,
sum(aegis.finding_counts_by_type.CREDIT_CARD) AS cc
by aegis.actor_id
| sort -ssn
Troubleshooting¶
| Symptom | Cause | Fix |
|---|---|---|
test returns ok: false, status_code: 401 |
Token wrong, or missing Splunk prefix |
Confirm the auth header is Authorization: Splunk <token> |
test returns ok: false, status_code: 403 |
HEC token doesn't have access to the destination index | Edit the HEC token in Splunk; grant write to your target index |
test returns ok: false, network error |
HEC URL unreachable from Aegis cloud | Splunk HEC must be reachable from the public internet. If Splunk is in a private VPC, expose via a load balancer or use Splunk Cloud HEC. |
last_error shows HTTP 500: Server is busy |
HEC indexer queue full | Splunk-side capacity issue; Aegis will retry automatically |
Events appear with sourcetype=_json but fields aren't parsed |
Default _json sourcetype needed tuning |
Create an aegis:audit sourcetype and map it on the HEC token |
Splunk Cloud notes¶
For Splunk Cloud, the HEC URL is typically:
Everything else is identical. HEC tokens are created in Settings → Data Inputs → HTTP Event Collector the same way.