Splunk integration

Noxen's NDJSON export ingests cleanly into Splunk via either the HTTP Event Collector or a Universal Forwarder file monitor. Each finding becomes one Splunk event with structured fields ready for search and dashboards — no props.conf regex wrangling required.

What gets indexed

One JSON document per LF-delimited line, one finding per line. Records share a common base (@timestamp, source, host, scan_started_at) plus a category field that's one of cve, open_port, tls, http_header, or admin_surface. Sample CVE event: 

{"@timestamp":"2026-05-27T03:14:00.123Z","category":"cve","cve_id":"CVE-2024-6387","cvss_score":8.1,"description":"A signal handler race condition in OpenSSH's server (sshd)…","host":"db-01.prod.example","matched_cpe":"cpe:2.3:a:openbsd:openssh:9.6:*:*:*:*:*:*:*","package_name":"openssh-server","package_version":"1:9.6p1-3ubuntu13.5","scan_started_at":"2026-05-27T03:14:00.123Z","severity":"critical","source":"noxen"}

Splunk's automatic JSON KV extraction handles the rest — every field is searchable as field=value the moment the event lands. Optional global tags (env, region, tenant) apply to every record via Noxen's Settings → SIEM export → Global tags.

Setup — HTTP Event Collector (recommended)

  1. In Splunk Web: Settings → Data inputs → HTTP Event Collector → New Token. Set sourcetype to noxen:findings and pick an index (e.g. security). Copy the token.
  2. Run a small forwarder on the Mac running Noxen — for example, a launchd job that POSTs each new NDJSON file to the HEC endpoint, one event per line via the /services/collector/event path. (We ship a sample script in the docs.)
  3. Confirm with a search: index=security sourcetype=noxen:findings | head 10. Events should appear within a few seconds.

Setup — file monitor (Universal Forwarder)

  1. In Noxen: Settings → SIEM export → Add destination. Choose a folder reachable by the Universal Forwarder — typically a mounted share or a directory replicated to a Splunk-monitored host.
  2. On the forwarder, add to inputs.conf: 
    [monitor:///var/log/noxen/*.ndjson]
sourcetype = noxen:findings
index = security
    and to props.conf: 
    [noxen:findings]
INDEXED_EXTRACTIONS = json
KV_MODE = none
TIMESTAMP_FIELDS = @timestamp
SHOULD_LINEMERGE = false
  3. Restart the forwarder, then search index=security sourcetype=noxen:findings to confirm.

Example searches

# Critical CVEs by host, last 7 days
index=security sourcetype=noxen:findings category=cve severity=critical earliest=-7d
| stats count by host, cve_id
| sort - count

# Hosts with exposed admin surfaces
index=security sourcetype=noxen:findings category=admin_surface
| stats values(display_name) as surfaces by host

# Weak TLS findings rolling weekly
index=security sourcetype=noxen:findings category=tls
| timechart span=1d count by severity

Compatibility

The NDJSON format is content-agnostic — it works with Splunk Enterprise, Splunk Cloud, and Splunk Free. HEC is the more elegant path for Splunk Cloud customers who can't run a forwarder on the Noxen host; file monitor is the cleaner path for on-prem clusters with a forwarder fleet already in place.

When events arrive

On scan completion (NDJSON written) plus the HEC POST latency or forwarder tail-and-batch latency — typically a few seconds end to end. Noxen does not retroactively backfill past scans; only scans that complete after the destination is configured emit events.

What it doesn't do

SIEM export unlocks at the MSP tier ($149/month). If you're running Splunk against multiple client fleets, the MSP page covers the multi-tenant catalog story; otherwise the integrations hub lists every supported destination.

See pricing →