Skip Navigation
  1. BlackBerry Docs
  2. Cylance products
  3. CylancePROTECT Application for Splunk Administration Guide
  4. Installing and configuring the CylancePROTECT Application for Splunk
  5. Configure the syslog data connection

Configure the syslog data connection

The
CylancePROTECT
 Application for
Splunk
 can consume real-time syslog data from the
Cylance
 console. To send these events to
Splunk
, syslog forwarding needs to be enabled and configured within
Splunk
 and in the
Cylance
 console. For more information about how to configure forwarding, see Configure Splunk indexing and forwarding to use TLS certificates.
  1. In
    Splunk
    , on the
    Splunk
     menu bar, click
    Settings
     >
    Data Inputs
     >
    TCP
    .
    For multi-tenant configuration, each tenant will require its own stanza in inputs.conf, and each tenant requires its own port. For example, if there are two tenants, CompanyOne and CompanyTwo, the inputs.conf file should follow the model below: 
    [tcp-ssl://6514]
disabled = false
sourcetype = syslog_protect
source = CompanyOne
index = cylance_protect
    [tcp-ssl://6515]
disabled = false
sourcetype = syslog_protect
source = CompanyTwo
index = cylance_protect
  2. In the
    Port 6515
     row, in the
    Status
     column, click
    Enable
    .
  3. In the
    Cylance
     console, on the menu bar, click
    Settings
     >
    Application
    .
  4. Select the
    Syslog/SIEM
     check box.
  5. Choose the desired event types.
  6. In the
    SIEM
     drop-down list, click
    Splunk
    .
  7. In the
    Protocol
     drop-down list, click
    TCP
    .
  8. In the
    IP/Domain
     field, type the IP address or FQDN of your forwarder or
    Splunk
     environment.
  9. In the
    Port
     field, type the port number of your Splunk environment.
  10. Click
    Save
    .
Optionally, to encrypt the syslog data connection with SSL, see Configuring the syslog data connection over SSL in Splunk.