Configure the Splunk Client Policy

Using the Client Policy Builder, you can create and modify policies for your Tenable Log Correlation Engine Splunk Client. The following steps are performed via the web interface on the Tenable Log Correlation Engine server that you configured your Tenable Log Correlation Engine Splunk Client to communicate with.

Caution: The Tenable Log Correlation Engine Splunk Client can process a maximum of 500 logs per second. Processing more than 500 logs per second can result in a loss of data. This is an absolute limit and cannot be increased by improving the system hardware.

To configure the Splunk Client:

1. Using the Client Policy Builder, create a policy for your Tenable Log Correlation Engine Splunk Client. This documentation includes a list of valid configuration items for the client policy.

   Note: The Tenable Log Correlation Engine Splunk Client policy requires at least one IP address for a Splunk server. If no IP addresses are provided, the client will not open the Listen port.

   In order for the Splunk Client to function, you will need to edit the Client policy, include the required syntax noted below, and specify your Splunk server.

   XML Example:

   <splunk-server>192.0.2.10</splunk-server>

2. Assign the policy to the Tenable Log Correlation Engine Splunk Client.