SGNL can stream events to leading SIEM and storage providers while still making logs available within the SGNL Console and APIs. SGNL logs are formatted as individual JSON entries with a well-defined schema. An example access decision log entry takes the form of:
{
"accessDecision": "Allow",
"action": "access",
"assetId": "aws::arn:1111",
"clientId": "a5c5f108-1111-4b9a-2222-ed9787e3ce6b",
"eventType": "sgnl.accessSvc.decision",
"integrationDisplayName": "AWS",
"integrationId": "a5c5f108-3333-4b9a-4444-ed9787e3ce6b",
"level": "info",
"msg": "Access search service decision",
"principalId": "alejandro.bacong@wholesalechips.co",
"requestId": "a5c5f108-5555-4b9a-6666-ed9787e3ce6b",
"tenantId": "a5c5f108-7777-4b9a-8888-ed9787e3ce6b",
"timeAtEvaluation": "2024-06-28T20:05:03Z",
"time_now": "2024-06-28T20:05:03.289737017Z",
"ts": "2024-06-28T20:05:03Z"
}
To get started with Log Streaming, simply head over to the Admin section of the SGNL Console and start adding integrations.
SGNL uses Splunk HEC to stream logs. To get started, log into SGNL and into your Splunk console.
In Splunk:
Add Data from the Splunk LauncherMonitor to add log data from an HTTP endpointHTTP Event Collector method for receiving data, and give the collector a descriptive name, such as your SGNL and your clientNameAutomatic source type and select which indices you’d like SGNL log data to flow intoIn SGNL:
https://sgnl-log-stream.splunkcloud.com8088 by defaultThe next set of events that are generated will start to stream logs to Splunk – you should start to see them showing up in Splunk Search. You can trigger logs by making access evaluation requests, configuring and synchronizing a System of Record, or creating triggers, rules, and actions inside of the CAEP Hub