HELP FILE

How do I integrate Splunk with my LastPass Business account?

    All available events that take place in the LastPass Business Admin Console (e.g., login activity, master password changes, form fill attempts, etc.) can be passed to a Splunk instance (either Splunk Cloud or Splunk Enterprise), where you can then create custom reports using that data. This allows you to use the advanced functionality of Splunk to access and report on your LastPass Business activity. To take advantage of this integration, you need a running Splunk Cloud or Splunk Enterprise instance with a configured Data Input as HTTP Event Collector.

    Attention: LastPass requires that the HTTP Event Collector uses SSL with a valid certificate signed by a certificate authority. Only port 443 (Splunk Cloud) or port 8088 (Splunk Enterprise) are supported.
    Tip: You can view all available event types for LastPass Business on the LastPass Business Log Messages page at https://lastpass.com/logmsgdoc.php. Please note that you must be actively logged in with a LastPass Business account in order to view the list.

    Before you begin: The following must be done in Splunk before proceeding:
    • Generate an HTTP Event Collector token
    • Change the source type of the token to "structured _json"
    • Copy the Splunk Instance URL
    • Copy the HTTP Event Collector token

    Instructions will vary depending on your Splunk environment – see Splunk Cloud or Splunk Enterprise instructions to complete the actions listed above.

    • Enter the token and URL from Splunk into LastPass.
      1. On a new web browser window or tab, navigate to the new Admin Console at https://admin.lastpass.com.
      2. Enter your LastPass admin email address and master password, then select Log In.
      3. Select Advanced > Enterprise options > Splunk integration.
      4. Paste the HTTP Event Collector token into the "Splunk Instance Token" field.
      5. Paste the Splunk Instance URL into the "Splunk instance URL" field.
        • For Splunk Cloud environments, the URL must be in the following format and use port 443:
          https://input-prd-<my-instance>.cloud.splunk.com:443
        • For Splunk Enterprise environments, the URL must be in the following format and use port 8088:
          https://<splunk-host>.com:8088
      6. Click Update.
      7. Log out of LastPass.
      8. Log back in to LastPass using the LastPass browser extension only.
    You have finalized the integration between your LastPass account and your Splunk account, which can take up to 24 hours to complete the integration synchronization.