This document describes how to prepare a Docker Compose environment to test the integration between Wazuh and Splunk. For a detailed guide on how to integrate Wazuh with Splunk, please refer to the Wazuh documentation.
- Docker and Docker Compose installed.
- Clone the Wazuh repository and navigate to the
integrations/folder. - Run the following command to start the environment:
docker compose -f ./docker/compose.indexer-splunk.yml up -d
- If you prefer, you can start the integration with the Wazuh Manager as data source:
docker compose -f ./docker/compose.manager-splunk.yml up -d
The Docker Compose project will bring up the following services:
- 1x Events Generator (learn more in wazuh-indexer/integrations/tools/events-generator).
- 1x Wazuh Indexer (OpenSearch).
- 1x Logstash
- 1x Splunk
- 1x Wazuh Manager (optional).
For custom configurations, you may need to modify these files:
- docker/compose.indexer-splunk.yml: Docker Compose file.
- docker/.env: Environment variables file.
- splunk/logstash/pipeline/indexer-to-splunk.conf: Logstash Pipeline configuration file.
If you opted to start the integration with the Wazuh Manager, you can modify the following files:
- docker/compose.manager-splunk.yml: Docker Compose file.
- splunk/logstash/pipeline/manager-to-splunk.conf: Logstash Pipeline configuration file.
Check the files above for credentials, ports, and other configurations.
| Service | Address | Credentials |
|---|---|---|
| Wazuh Indexer | https://localhost:9200 | admin:admin |
| Splunk | https://localhost:8000 | admin:Password.1234 |
The dashboards for Splunk are included in this folder. The steps to import them to Splunk are the following:
- In the Splunk UI, go to
Settings>Data Inputs>HTTP Event Collectorand make sure that thehectoken is enabled and uses thewazuh-alertsindex. - Open a dashboard file and copy all its content.
- In the Splunk UI, navigate to
Search & Reporting,Dashboards, clickCreate New Dashboard, write the title and selectDashboard Studio, selectGridand click onCreate. - On the top menu, there is a
Sourceicon. Click on it, and replace all the content with the contents from one of the dashboard files underintegrations/splunk. After that, click onBackand click onSave. - Repeat the steps for all the desired dashboards.
Imported dashboards will appear under Search & Reporting > Dashboards.