How to integrate Endpoint Central (on-premises) with Splunk?

By integrating ManageEngine Endpoint Central with Splunk, organizations reap numerous benefits. This integration gives you visibility by consolidating all vulnerability data in one place for easy monitoring and management. Splunk’s advanced analytics gives you a deep dive into vulnerability trends, patterns and anomalies so you can prioritize remediation based on risk assessments and impacts. Customize your dashboards and reports with Splunk flexibility to present vulnerability data in a clear and actionable way. Overall integrating Splunk with Endpoint Central enhances vulnerability management by leveraging Splunk’s advanced analytics, real-time monitoring and visualization capabilities.

Note: Splunk integration feature is available on build DC-11.3.2430.01 and above.

This section talks about:

Installing the ManageEngine Endpoint Central (on-premises) add-on in Splunk

  • Navigate to the Splunk Home page.
  • In the Header menu, click on Apps.
  • Select Find More Apps to be redirected to Splunk's Marketplace.
  • Search for the ManageEngine Endpoint Central Add-On app.
  • Click Install and enter your username and password.
  • Click Agree and Install and now you can access the application from the Splunk home page or the Apps menu.

Creating a CA-Bundle (Certificate Authority bundle) for SSL validation

  • Navigate to the Endpoint Central On-premises Server installation directory on your system. Then, go to the %EC Home Dir% -> nginx -> conf folder.
  • Open the server.crt file with a text editor and copy the contents of the certificate file.

  • Now go to the Splunk installation directory on your system.
  • Navigate to %Splunk Home Dir% -> etc -> apps -> TA-manageengine-endpoint-central-add-on.

  • Within the TA-manageengine-endpoint-central-add-on folder, create a new folder named certificates

dwg trueviewer

  • Inside the certificates folder, create a new text file and rename it to ec.ca-bundle

  • Open the ec.ca-bundle file with a text editor and paste the contents of the server.crt file from the Endpoint Central On-premises server installation directory into the ec.ca-bundle

  • Save and close the ec.ca-bundle file.

Generating an Auth-Token in Endpoint Central (on-premises)

  • In the Endpoint Central console, navigate to the Admin tab -> API Key Management and click on Generate Key.
  • Select Splunk from the Application menu and click on Generate Key to generate your Auth token.
  • Then you can copy your authentication token.
  • Note: The generated Key will be shown ONLY ONCE. Please copy the API Key when it is displayed and store it in a secure place. If lost you will not be able to retrieve it but only regenerate a new Key.

Configuring the app in Splunk with the Endpoint Central (on-premises) server

  • Navigate to the Splunk home page and access the header menu and click on Apps.
  • Select the ManageEngine Endpoint Central Add-On App.
  • Within the App, navigate to the Configurations page. Click the Add button to include your server configuration.
  • In the pop-up, choose Endpoint Central On-premise from the Endpoint Central Server dropdown and complete all necessary fields.
  • Paste the Auth Token copied from Endpoint Central Server.
  • Click Add. If all the information is correct, it will be validated successfully.
  • Valid inputs:

  • Account Name: Should be unique and without spaces.
  • Endpoint Central Server: Must be Endpoint Central On-premise.
  • Endpoint Central Server URL: URL with the scheme (https://). This URL must be accessible from the machine hosting Splunk. If using a proxy, configure proxy settings before adding configuration details.
  • Auth Token: Use the auth token generated from Endpoint Central without any modifications.
  • The added configuration will appear in the Accounts section.

Creating an input with the Endpoint Central (on-premises) server configuration

  • Navigate to the Inputs tab in Splunk and click on the Create New Input button.
  • In the pop-up window, enter all the required information. From the Global Account dropdown, select the configured Endpoint Central On-prem server.
  • Then, click the Add button. If all inputs are valid, the input will be added successfully.
  • Valid Inputs:

  • Name: Unique name without any white spaces.
  • Interval: In seconds, must be between 3600 and 86400.
  • Index: Default.
  • Global Account: Endpoint Central On-prem server configured in the configuration section.
  • The added input will then get displayed.

Viewing data in Splunk

  • Navigate to the Search tab in the app.
  • Once an input is configured, synchronization with the Endpoint Central server will begin, and data will start posting to Splunk.
  • Currently, only vulnerability data from Endpoint Central is posted to Splunk.

  • The vulnerability data will be posted under the sourcetype: manageengine:ec:vulnerability
  • To view the posted data, use the following command:
  • index=* sourcetype="manageengine:ec:vulnerability"

Initiating Full Sync

  • Navigate to %Splunk Home Dir% -> etc -> apps -> TA-manageengine-endpoint-central-add-on -> default
  • Create a file named custom.conf
  • Add the following entry:

    [manageengine:ec:vulnerability]
    initiate_full_sync = True

  • Save the file to trigger full sync.
  • During the next sync, full sync will be initiated

Configuring Multiple Endpoint Central Servers in Splunk

  • Whenever you add a new On-Prem Endpoint Central server in Splunk, include the contents of the server.crt file in the existing ec-ca-bundle file.
  • Refer to the steps in Creating a CA-Bundle for SSL Validation to copy the contents of the server.crt file.
  • Append the copied contents to the end of the already created ec-ca-bundle file.
  • Finally, follow the instructions in Configuring App in Splunk with Endpoint Central On-premises server to complete the configuration.

Kindly contact support for any queries.