You can configure Cisco Panoptica to send event information to Splunk. This includes events such as a workload starting in an environment, or being blocked; connections being established between workloads, or closed.

You can configure both Splunk Cloud and Splunk Enterprise (on-prem).

Configure Splunk

On the Splunk side, you must create a token that Panoptica uses to access the Splunk API. You must also create an index for Panoptica events.

API Token

1. Log in to the Splunk console, and select Data Inputs from the Settings menu.

2. In the Local inputs section, click Add new under Actions, opposite the HTTP Event Collector type.

3. Enter a name for the token, then click Next.
4. Click Review. Do not select any filters or restrictions for the API (in particular, restrictions for the Panoptica index, "Panoptica").
5. Click Submit.

6. Copy the token value.

Add an index for Panoptica in Splunk

Event information in Splunk is indexed by the provider, so an index for Panoptica must be created. All messages sent from Panoptica will include this index.

1. In the Splunk console, select Indexes from the Settings menu.

2. Click New Index.

3. Enter Panoptica for the Index Name, and click Save.

Configure Panoptica

1. In the Panoptica console, navigate to the System page, and then select the INTEGRATIONS tab.
2. Scroll to the EVENTS FORWARDING section, and click New Events Forwarding.
3. Select type Splunk.

4. Enter the following details for the Splunk server:
   • the URL for your Splunk server
   • the token copied from the setup on Splunk, above.
   • if the Splunk server is in the cloud, check Splunk Cloud.
5. Select which events will be sent to Splunk:
   • Notifications - these are non-critical events, that do not violate any Panoptica policy , such as a workload starting, or a connection established
   • Alerts - these are events that violate a Panoptica policy; the action may be blocked, depending on the rules in the policy.