HashiConf 2025 Don't miss the live stream of HashiConf Day 2 happening now View live stream
HashiCorp Cloud Platform
HashiCorp Cloud Platform Home

Configure HCP Vault Dedicated audit log streaming to Splunk

Availability

HCP Vault Dedicated audit logs streaming is available for all production grade clusters. The feature is not available for Development tier clusters.

Prerequisites

To configure audit logs streaming to Splunk, you will need to have:

  • Have access to a paid Splunk Cloud or Enterprise account.

    Note

    Splunk Cloud Trial account would not work with HCP Vault Dedicated as its HEC (HTTP Event Collector ) listener is hosted using a self signed certificate that HCP won't trust.

  • Your Splunk HEC and token.

    Note

    HEC endpoint should be created using events and not metrics index in Splunk.

  • A HCP account with the Admin role assigned

  • An essentials or standard tier HCP Vault Dedicated cluster

    Note

    If you do not have a cluster running, refer to the Create a Vault Cluster on HCP or the Deploy HCP Vault Dedicated with Terraform tutorial to create an HCP Vault Dedicated cluster.

Enable audit logs streaming

  1. From the HCP Vault Dedicated cluster Overview page, select the Audit Logs view.

  2. Click Enable Streaming.

  3. From the Enable audit logs streaming view, select Splunk as the provider and click Next.

  4. Under Splunk configuration, enter your HTTP Event Collector (HEC) Endpoint URL and event collector Token.

  5. Click Save.

    Note

    At this time HCP Vault Dedicated only supports audit log streaming to one log endpoint at a time.

Refer to the Splunk documentation for instructions on log querying.

Example Terraform configuration (optional)

Refer to the Terraform Registry hcp_vault_cluster documentation for more information.

resource "hcp_vault_cluster" "example" {
  cluster_id = "vault-cluster"
  hvn_id     = hcp_hvn.example.hvn_id
  tier       = "standard_large"
  audit_log_config {
    splunk_token = "splunk_token"
    splunk_hecendpoint = "splunk_hecendpoint"
  }
}

Edit the audit log streaming configuration (optional)

To edit a audit log streaming integration, perform the following steps.

  1. From the Audit Logs page, click on the Manage drop-down, then Edit configuration.

  2. Edit the configuration, then click Save.

Disable audit log streaming (optional)

To disable a audit log streaming integration, from the Audit Logs page, click on the Manage drop-down, then Disable streaming.

Edit this page on GitHub