Skip to content
Cisco AI Defense logo
CiscoAI Security

Ship events to Splunk — DefenseClaw

Problem

You run Splunk for security telemetry and you want DefenseClaw events indexed there without bespoke Splunk engineering.

Solution

Step 1: Install the Splunk app

Download the DefenseClaw Splunk app from the release artifacts:

wget https://github.com/cisco-ai-defense/defenseclaw/releases/download/v0.8.0/defenseclaw-splunk-app-0.8.0.tgz
tar -xzf defenseclaw-splunk-app-0.8.0.tgz -C $SPLUNK_HOME/etc/apps/
$SPLUNK_HOME/bin/splunk restart

The app ships:

  • sourcetype=defenseclaw:event with field extractions for every event kind
  • Prebuilt dashboards: Fleet health, Guardrail verdicts, Admission decisions, Sandbox activity, Sink lag
  • Saved searches: critical verdicts, unexpected egress, drift detections
  • Alerts: guardrail offline, sink backlog, admission overrides spike

See Splunk app for the full catalog.

Step 2: Create an HEC token

In Splunk:

  1. Settings → Data Inputs → HTTP Event Collector → New Token
  2. Name: defenseclaw
  3. Allowed indexes: main (or a dedicated defenseclaw index — recommended)
  4. Source type: defenseclaw:event
  5. Save and copy the token

Step 3: Attach the sink

defenseclaw setup observability add splunk-hec \
  --host splunk.example.com \
  --port 8088 \
  --token $HEC_TOKEN \
  --index defenseclaw \
  --name splunk-main \
  --non-interactive

The CLI probes connectivity and writes the token to ~/.defenseclaw/.env at 0600. Connectivity check is enforced — a bad URL or wrong token fails the setup, non-zero exit.

Verify:

defenseclaw setup observability test splunk-main
# probe result is printed by the CLI

Step 4: Generate traffic

Drive a probe event to make sure the sink accepts traffic:

defenseclaw setup observability test splunk-main
defenseclaw doctor

Step 5: Verify in Splunk

index=defenseclaw sourcetype=defenseclaw:event
| stats count by scope kind severity

You should see at least one recent DefenseClaw event from the observability probe or doctor run.

Step 6: Open the dashboards

Navigate to Apps → DefenseClaw → Fleet health. Key panels to watch:

PanelWhat to watch for
Verdict volumeShould track your traffic — big dips mean the sidecar is down
Severity mixA sustained shift to HIGH/CRITICAL suggests a new threat or a bad rule
Sink lagShould be 0 or near-zero
Admission rateSteady background of allow; spikes of block are interesting

Step 7: Tune the index

For production, set retention to 90+ days on a dedicated defenseclaw index. Verdicts compress well — expect ~50-200 MB/day per 1000 LLM calls.

Related