env zero has the ability to send all of your deployment logs and audit logs directly to your Splunk account.
Setup
Here are the steps to configure it:- The integration with Splunk uses the HTTP Event Collector, so you will need to set up it in your Splunk instance:
- For Splunk Enterprise follow this guide
- For Splunk Cloud follow this guide
- While creating a new HTTP Event Collector you will also create a token. Make sure the token has access to the index you would like to use. You will need this token to configure the integration inside the env zero platform.
- By default, env zero uses an index called
env0-deployment-logs-indexfor deployment logs and an index calledenv0-audit-logs-indexfor audit logs.
To create an index for audit logs follow this guide. The deployment logsโ index name can be it can be overridden. Either create theenv0-deployment-logs-indexindex, or use an existing index. - By default env zero will use
sourcetype: env0-sourcetype,source: env0-deployment-logs-sourcefor deployment logs andsource: env0-audit-logs-sourcefor audit logs - this can not be overridden. - There are two ways to configure the integrations:
-
In the env zero app
In the organizationโs integrations page, click on Splunk and fill the formโs fields:
-
Using environment variables
In the env zero platform you will need to configure the following environment variables in any scope you would like to have them:
*These environment variables can only override deployment logs forwarding configurationEnvironment variable name Description Mandatory ENV0_SPLUNK_URLThe URL of your Splunk instance in the following format: <protocol>://<instance url/ip>:<port>. For example:https://example.splunkcloud.com:8088Yes ENV0_SPLUNK_TOKENThe HTTP Event Collector token value. This is usually a GUID format token. For example: a90c7a14-8aac-4523-bbbb-dea20352aa4dYes ENV0_SPLUNK_INDEXThe index you would like env zero to push the data to. No - Default: env0-deployment-logs-index
-