02: PolicyPak Cloud Event Forwarding to Splunk

PolicyPak Cloud customers are entitled to have one day of PolicyPak Least Privilege Manager logs stored in PolicyPak Cloud for free. If this isn’t yet enabled for your PolicyPak Cloud tenant, simply open a ticket to PolicyPak Support.

Beyond one day of storage will cost a PolicyPak Cloud customer to store events in PolicyPak Cloud.

However, a way to sidestep continued storage costs related to events is to use the PolicyPak Cloud Event Forwarding to Splunk mechanism which is also free to use.

Here is how to configure it. Start out by logging into login.splunk.com and get your URL. You will also need you Splunk Access Token (https://docs.splunk.com/observability/en/admin/authentication-tokens/api-access-tokens.html and https://docs.splunk.com/Documentation/Splunk/9.1.1/Security/Setupauthenticationwithtokens ). You will need both the URL and API Token during these steps.

TIP: Note these directions will send data to Splunk Cloud; but should be similar to on-prem Splunk. Of course your on-prem Splunk must be configured correctly to accept data sources from the Internet.

Configure Event Forwarder in PP Cloud

1. Navigate to: https://cloud.policypak.com/ and go to "Company details" tab and click to link Event Forwarder List -> +Add Event Forwarder

2. Configure and save new Event Forwarder, please be aware you must be ‘Notification Option Admin’ role member. One-time Password is required for saving Event Forwarder config for extra security. Also you may use “Validate” button to check the credentials before saving.