As of version 7.0, Change Auditor can forward events to Splunk. To configure Splunk to receive events from Change Auditor you need to configure an HTTP event collector token in your Splunk instance:
- Within Splunk, navigate to Settings | Data Inputs | HTTP Event Collector. Ensure that All Tokens are enabled under the Global Settings
- Click New Token and complete the steps in the wizard
- Copy the token. This values is required to create a Splunk subscription in Change Auditor
Next, you need to create a Splunk Subscription in Change Auditor:
- Open the CA Client
- Click View | Administration
- From the Administration Tasks, select Configuration | Event Subscriptions
- Click Add to enter the required information
- Specify where to send the event data by entering the event URL
- Enter the event token
- Splunk uses this unique identifier to confirm that the specified event URL is authorized to accept event data. The token value is created during the Splunk instance configuration
- Click Next to select the events to forward based on subsystem and event date. Once set, these cannot be changed by editing the subscription
- By default, events start sending after the subscription is created. To change when to begin sending events, click Send events starting and select the desired date and time. The time cannot be more than 30 days prior to the Change Auditor 7.0 installation date
- Select the subsystems to include in the subscription
- Click Finish
For more information please see the "Managing a Splunk integration" section of the SIEM Integration Guide