HashiCorp Cloud Platform
Enable audit log streaming to Splunk Cloud
Public beta available
HCP audit log streaming is currently in beta. This documentation supports testing and development scenarios. Do not use this feature in secure production environments.
This page describes how to stream an organization’s HCP audit logs to Splunk Cloud, where you can review them. Enable audit log streaming from the HCP portal or use the HCP Terraform provider hcp_log_streaming_destination
resource.
Requirements
Whether you use the HCP UI or the Terraform provider, enabling audit log streaming requires an HCP user account with owner or admin permissions for an organization. For more information, refer to users.
Terraform provider method
To configure and enable audit logging streaming with Terraform instead of the HCP UI, the following software and provider versions are also required.
- Terraform v1.1.5 or later. For the best experience, we recommend using the latest release.
- HashiCorp Cloud Platform (HCP) Provider version 0.80.0 or higher.
You must also configure the HCP provider to authenticate using an organizational-level service principal and service principal key. Refer to the Authenticate with HCP guide in the Terraform registry for more information.
Workflow
You can enable audit log streaming from HCP to Splunk Cloud using the dedicated HCP workflow. You also have the option to create and manage your organization's infrastructure using the HCP provider in the Terraform Registry.
Complete the following steps to enable audit log streaming:
- Outside of HCP, create an audit log index on Splunk Cloud.
- Outside of HCP, create and retrieve an HTTP Event Collector (HEC) token.
- Enable audit log streaming.
Create an audit log index
To enable audit log streaming to Splunk Cloud, you must assign an index to stream the logs to. If you do not have an index already, create an event index named hcp-audit-logs
. For more information, refer to create events indexes in the Splunk documentation.
Create and retrieve an HTTP Event Collector (HEC) token
Create an HEC token on Splunk Cloud. This token has the following requirements:
- Give your HEC token a name, such as
hcp-log-stream
. - Assign the
hcp-audit-logs
index you created to your token.
For guidance on creating the token, refer to Set up and use HTTP Event Collector in Splunk Web in the Splunk documentation.
For guidance on retrieving the token value, refer to Manage HTTP Event Collector tokens in the Splunk documentation.
Enable audit log streaming
To enable audit log streaming to Splunk Cloud, complete the following steps.
- Sign in to the HCP Portal.
- Select the organization you want to stream audit logs from.
- Click Audit log streaming.
- Click Create streaming destination.
- Select Splunk Cloud.
- Complete the required configuration fields:
- Destination name. This label appears in list of audit log streams for the HCP organization.
- HTTP event collector (HEC) endpoint. This endpoint has the following format:
https://http-inputs-<tenant>.splunkcloud.com/services/collector/event
. Refer to Send data to HTTP Event Collector in the Splunk documentation for more information. - Token. The value of the HEC token.
- Click Test connection to generate a test log that HCP sends to Splunk Cloud.
- Click Save.
View audit logs
To view audit logs, search for the name of your audit log index on Splunk Cloud: hcp-audit-logs
. Logs appear after you generate them.