Articles

Stream Aqua Events to Splunk SIEM (2026)

April 16, 2026 3 min read

The most surprising thing about streaming Aqua Security events to Splunk is how often the initial setup appears to work, only for data to mysteriously stop flowing without any obvious error messages.

Let’s see it in action. Imagine an Aqua Security policy violation:

{
  "timestamp": "2023-10-27T10:30:00Z",
  "eventType": "POLICY_VIOLATION",
  "resourceType": "CONTAINER_IMAGE",
  "resourceName": "my-vulnerable-image:latest",
  "violationDetails": {
    "policyId": "aqui-vuln-scan-critical",
    "violationType": "VULNERABILITY",
    "severity": "CRITICAL",
    "vulnerabilityId": "CVE-2023-12345",
    "description": "Critical vulnerability found in package xyz."
  },
  "hostName": "k8s-node-1",
  "clusterName": "production-cluster",
  "namespace": "default",
  "accountId": "aqua-prod-123"
}

This event, when successfully streamed, would appear in Splunk as a new log entry, searchable by fields like eventType, resourceName, severity, and accountId.

The Aqua-Splunk Integration Pipeline

Aqua Security’s event streaming mechanism is designed to push security findings and operational events to external systems like SIEMs. The core components involved are:

  1. Aqua Security’s Event Emitter: This is the internal Aqua component responsible for detecting and generating events. When a policy is violated, a vulnerability is found, or an image is scanned, an event object is created.
  2. The Event Streaming Configuration: Within Aqua, you define "integrations" that specify where these events should be sent. This involves selecting a destination type (e.g., Splunk HTTP Event Collector), providing credentials, and mapping Aqua event fields to the destination’s format.
  3. The Destination (Splunk HTTP Event Collector): Splunk’s HTTP Event Collector (HEC) is an HTTP-based endpoint that allows external applications to send event data directly into Splunk. It requires a token for authentication and configuration on which indexes and sourcetypes the data should land.
  4. Network Connectivity: Crucially, there must be a network path from the Aqua Security environment (whether on-premises or cloud-hosted) to the Splunk HEC endpoint.

The problem this solves is centralizing security telemetry. Instead of logging into Aqua Security for every alert, security teams can consolidate all their security data, including Aqua’s findings, within their primary SIEM for correlation, alerting, and long-term storage.

How It Works Internally

When an event occurs in Aqua, the event emitter generates a structured JSON payload. This payload is then handed off to the configured event streaming integration. If the integration is set up for Splunk HEC, Aqua constructs an HTTP POST request containing the event data. This request is sent to the specified Splunk HEC URL, including the HEC token in the Authorization header. Splunk receives this request, parses the data, and indexes it according to the HEC configuration.

The exact levers you control are primarily within the Aqua Security UI under Settings -> Integrations. Here, you’ll:

  • Add a New Integration: Choose "Splunk" as the type.
  • Configure the Splunk HEC:
    • URL: The full URL to your Splunk HEC endpoint, typically https://<your-splunk-host>:8088/services/collector.
    • Token: The HEC token generated in Splunk.
    • SSL Verification: Whether to verify the SSL certificate of the Splunk HEC endpoint.
    • Default Index: The Splunk index where events will be sent if not specified otherwise.
    • Default Source Type: The Splunk sourcetype for incoming events.
  • Event Filtering: You can choose which event types (e.g., POLICY_VIOLATION, VULNERABILITY_FOUND, IMAGE_SCAN_COMPLETED) you want to stream.
  • Field Mapping (Optional but Recommended): While Aqua sends structured data, you might want to map specific Aqua fields to Splunk fields for easier searching. For example, mapping Aqua’s severity to a Splunk field named aqua_severity.

The One Thing Most People Don’t Know

The Splunk HEC endpoint has a default payload size limit, and Aqua Security events, especially those with extensive vulnerability details or image scan reports, can sometimes exceed this. If the payload is too large, the HEC will reject the request with an HTTP 413 Payload Too Large error, but this might not be immediately obvious in Aqua’s integration logs if they only report successful sends or generic connection errors. You need to check Splunk’s internal logs (_internal index) for HEC related errors to spot this.

When you’re done, you’ll likely want to explore how to enrich these events with data from other sources within Splunk using lookups.

Want structured learning?

Take the full Aqua course →