UpGuard's API can be used to generate endless possibilities of log outputs for integration with Splunk. In this tutorial, we will generate daily vulnerability definitions with a Python script, to call UpGuard's API through the Splunk platform, and demonstrate the use of Splunk's search API on the UpGuard console.


If you simply want to post events into your Splunk instance from the UpGuard Event stream, please visit our guide on How to log events to Splunk.


To set up a Splunk Integration with UpGuard, a Splunk search URL is required.

Adding a Splunk Integration

  1. To start, go to Control > Integrations. w800

  2. Click on Add Integration. w800

  3. Select Splunk. w800

  4. Fill in the relevant fields.


  5. Your integration has now been successfully added to the list of integrations you may have.


Setting up UpGuard Scripts on Splunk

  1. Navigate to your Splunk instance and begin adding a new Data Input/Source.

    You may find the Python script for this tutorial on Github. For using the UpGuard API, refer to our API documentation.


  2. Choose the Monitor option for adding a data source.


  3. Click on Scripts, and choose the path to the location of the python script that is used for calling UpGuard APIs.

    Under the Command field, you may pass in arguments in addition to running the script. You may choose to create a file from the script directly, or use the command line to generate a file output. The default location to put custom scripts in Splunk is located in $SPLUNK_HOME/bin/scripts.


  4. Using the command line, we want to run the script such that it generates a file for monitoring on the Splunk instance:

    pull_data_into_splunk.py -vuln_reported_type day >> $SPLUNK_HOME/output.json

    The Interval field sets how often to run this script, which accepts a cron job format or values to indicate the time in seconds passed until the next run.

  5. In the next step, choose _json under the Source Type as shown:


  6. Fill in the values for Host and Index as stated on Splunk.


Setting up Monitoring of a File on Splunk

Monitoring of a file is fairly straightforward. Similar to the steps outlined in the previous section, we now want to monitor a file that is generated by the script that is scheduled.


  1. Select Files & Directories instead of Scripts.

  2. Navigate using the file directory browser and choose the file that you want to monitor, in this case: $SPLUNK_HOME/output.json

  3. In the next step, choose _json under the Source Type.

  4. When you have completed adding the new data source, you should be able to verify that a new Host is displayed on the Splunk console.


  5. You may search on the defined host, and verify that all the vulnerabilities are being generated by the script.


Splunk Integration on UpGuard

Now that we have set up Splunk to call UpGuard’s API, we now want to demonstrate that vulnerability definitions can be searched through the UpGuard console directly into Splunk. In this demonstration example, we are looking at a Windows Server 2012 Node that is scanned via WinRM, which contains several vulnerabilities.

  1. Navigate to a specific host that we have already scanned. In this case, the hostname of the node we chose will be upguard_vulnerabilties_api

  2. Right click on a vulnerability that you may want to search on Splunk, followed by: Lookup > Splunk


  3. A new tab should open and navigate you straight to the search console of Splunk where you may view all the relevant vulnerabilities for that Node.


What Next?

If you want to post events from UpGuard’s event stream into Splunk, please visit our guide on How to log events to Splunk.

Tags: splunk