Configure HCP Vault Metrics Streaming to Splunk

This tutorial covers configuration of HCP Vault metrics streaming to and data visualization in your existing Splunk environment. For details on metrics scope and interpretation, see the HCP Vault Metrics Guidance.

Prerequisites

To configure metrics streaming to Splunk, you will need to have:

• Have access to a paid Splunk Cloud or Enterprise account.

  Note: Splunk Cloud Trial account would not work with HCP Vault as its HEC (HTTP Event Collector ) listener is hosted using a self signed certificate that HCP won't trust.

• Your Splunk HEC and token.

  Note: HEC endpoint should be created using events and not metrics index in Splunk.

• An account with Admin or Contributor role assigned in HCP

• A production grade HCP Vault cluster

Enable metrics streaming

1. From the HCP Vault cluster Overview page, select the Metrics view.

2. If you have not configured metrics streaming before, click Enable streaming.

3. From the Stream Vault metrics view, select Splunk as the provider.

4. Under Splunk Configuration, enter your HTTP Event Collector (HEC) Endpoint URL and event collector Token.

5. Click Save.

   NOTE: At this time, HCP Vault only supports streaming audit logs and metrics to only one SIEM platform respectively at any given time.

6. HashiCorp has created a sample HCP Vault Splunk dashboard template for metrics visualizations. Splunk dashboard templates are distributed as Splunk apps. If you prefer to use the sample dashboard template, follow the Splunk instructions for adding a Splunk app to your Splunk Enterprise or Cloud environment.

Edit the metrics streaming configuration

To edit a metrics streaming integration, perform the following steps.

1. From the Metrics page, click on the Manage drop-down, then Edit configuration.

2. Edit the configuration, then click Save.

Disable metrics streaming

To disable a metrics streaming integration, from the Metrics page, click on the Manage drop-down, then Disable streaming.