Hi All,
I'm about to integrate Tanium Connect with Splunk Cloud ( Not Splunk Enterprise ) to forward data from Tanium to Splunk Cloud in the 'syslog'
format.
In this regard, I would like to know details on the following -
ThanQ in advance 🙂
Tanium only provides output to syslog and SplunkCloud does not have a syslog collector available in the cloud. So, the solution I deployed was to collect the data on-premise in a syslog server with a UF installed. Create an config for the UF to watch the file system the syslog server writes to and the data will be forwarded out the same way that any of your on-prem data flows to SplunkCloud. No additional firewall rules unless you need one to get from the Tanium server to the syslog server.
When sending data into Splunk Cloud, you'll need to forward the data in using a UF or HF (depending on your app). In this case, it seems like Tanium will send data to a syslog server and then you can forward it from there into Splunk Cloud using the forwarder app on your cloud stack.
I'm not too familiar with the Tanium Connect piece For Splunk, you might want to reach out to Tanium directly about that setting. You can also hit them up on the splunk-usergroups.slack.com on the #tanium channel.