Storing ClickHouse Cloud Audit logs into Splunk
Splunk is a data analytics and monitoring platform.
This add-on allows users to store the ClickHouse Cloud audit logs into Splunk. It uses ClickHouse Cloud API to download the audit logs.
This add-on contains only a modular input, no additional UI are provided with this add-on.
Installation
For Splunk Enterprise
Download the ClickHouse Cloud Audit Add-on for Splunk from Splunkbase.
In Splunk Enterprise, navigate to Apps -> Manage. Then click on Install app from file.
Select the archived file downloaded from Splunkbase and click on Upload.
If everything goes fine, you should now see the ClickHouse Audit logs application installed. If not, consult the Splunkd logs for any errors.
Modular input configuration
To configure the modular input, you'll first need information from your ClickHouse Cloud deployment:
- The organization ID
- An admin API Key
Getting information from ClickHouse Cloud
Log in to the ClickHouse Cloud console.
Navigate to your Organization -> Organization details. There you can copy the Organization ID.
Then, navigate to API Keys from the left-end menu.
Create an API Key, give a meaningful name and select Admin privileges. Click on Generate API Key.
Save the API Key and secret in a safe place.
Configure data input in Splunk
Back in Splunk, navigate to Settings -> Data inputs.
Select the ClickHouse Cloud Audit Logs data input.
Click "New" to configure a new instance of the data input.
Once you have entered all the information, click Next.
The input is configured, you can start browsing the audit logs.
Usage
The modular input stores data in Splunk. To view the data, you can use the general search view in Splunk.
