The Slack Add-on for Splunk uses the Slack Audit Logs API to fetch Slack Enterprise Grid Audit Logs into Splunk.
The Audit Logs API is for monitoring the audit events happening in an Enterprise Grid organization to ensure continued compliance, to safeguard against any inappropriate system access, and to allow you to audit suspicious behavior within your enterprise.
The idea is to give Enterprise Grid organization owners the ability to query user actions in a workspace. With this API, you could:
Learn more about Monitoring with the Audit Logs API
This application can be installed an On-Prem or Cloud deployments of Splunk.
Install the TA on one of the Heavy Forwarder(s). Ensure to copy over eventtypes.conf, props.conf and tags.conf over to your search head to make sure field aliases, event types and tags for data model mapping comes through.
Create a support ticket with
APP-CERT reference to get the app installed on a Cloud instance OR follow the cloud-ops recommended set of actions to install non-published applications.
The configuration steps are common for
cloud. Please follow the following steps in order:
1. Open the Web UI for the Heavy Forwarder (or IDM).
2. Navigate to the Splunk Add on for Slack from the
Manage Apps Section. Be sure not to configure the inputs from the
Data Inputs section of Splunk, as this could lead to some unexpected failures.
3. Navigate to the
Configuration page of the Add-on and click on the
4. Enter a name in the
Slack Account name textbox.
5. Click on the
Add to Slack button to generate your Access Token, beginning with
xoxp (with scope
auditlogs:read). Follow the instructions below to generate this. If you brought your own, paste the Access Token here.
6. Click on
Add to save this configuration.
7. Navigate to the
8. Click on
Create New Input button on the top right corner.
9. Enter the following details:
- Name (required): Provide a unique name for the input.
- Interval (required): Provide a number in seconds for the query interval.
- Index (required): Select the index from the dropdown list. Set the default index to be
slack_audit, if using in conjuction with the Slack Audit App for Splunk.
- Start Time (required): Enter the time from which to begin querying, in the format
yyyy-mm-dd hh:mm:ss. The default has been set to
- Enterprise Slack Account (required): Select the Account configured on Step 6.
10. Click on
Add to save the input.
11. To check for any logs or errors, navigate to the
Search tab and enter the below search
Add to Slackbutton to initiate the Authentication flow.
Content and info about youand the
Administer Slack for your organizationoptions to see what the app can view. Should you see this screen, skip step 4 and proceed onto 5.
Allowto generate your access token.
Access Token Generatedpage, click on the
Copy Access Tokenbutton to copy the token to your clipboard and close the pop up window.
Access Tokentext box of your Input configuration page.
_last_accessed_url. This is an indication of an error that must have occurred in the previous run. The input can be restarted (Disable the input first and then enable it) after the cause of failure has been fixed, so it picks up the run from the recorded last successful run.
slack_audit, so that the dashboards on the app populate automatically.
Data Inputssection of Splunk, as this could lead to some unexpected failures.
_timedoes not match the field
date_create, ensure to add an additional line in props.conf under the
slack:auditstanza like shown below and deploy it to all indexers.
Fixed timestamp recognition to point to date_create field
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.