Splunk

Purpose

This document provides set up information on the Splunk integration.

Introduction

Splunk is a software for searching, monitoring, and analyzing machine-generated big data. Splunk captures, indexes, and correlates real-time data in a searchable repository from which it can generate graphs, reports, alerts, dashboards, and visualizations.

A trial version of Splunk can be downloaded from the official Splunk website. It is implemented in both OUTSCAN and HIAB and is mostly used in Event Notification system and Audit Log.

Splunk is integrated with both HIAB and OUTSCAN. This guide describes the integration from a HIAB, but the procedure is the same for OUTSCAN.

There are two ways of integrating with Splunk:

• Create a User with a role for a TCP mode.
• Create an HTTP Event-Collector (HEC) for a HTTP Event-Collector mode that lets send data and applications events to Splunk over the HTTP and secure HTTP (HTTPS) protocols.

Prerequisites

• To set up the HIAB/OUTSCAN-Splunk integration in TCP mode, it requires index, role, and user be already set up in Splunk.
  

  

  Tip

  It is recommended to create a new user with limited access rights and a separate Splunk index for the data sent from the HIAB to Splunk.
• It is important that the index exists before defining a role for the HIAB access. Otherwise, the restricted access cannot be setup for the specific index. If an index has already been setup, skip to section Create a Role.
• The HTTP Event-Collector does not require users and roles to be set up in Splunk since it uses a access token. However an index is required for the HTTP Event-Collector. If an index has already been setup, skip to section Create an HTTP Event Collector.
  

A Splunk index is a repository for data in Splunk which reside in flat files on the Splunk instance.

Splunk Integration - TCP 

Due to the limitations of the number of characters that can be transferred through syslog to Splunk, the information in the Gathered Information field in the findings has been excluded as it exceeds the limit of what can be sent via syslog.

Create Index

1. Login with an existing Splunk account.
   
   

   

   
   
   
2. Go to Settings on the top left menu and then click on Indexes in the DATA group.
   
   

   

   
   
   
   
3. Click on the New Index button in the upper right corner.
   
   

   

   
   
   
4. Complete these details. In the steps below, HIAB is used as example.
   
   

   

   
   
   
5. Click Save.
   
   
6. The new index has been added to the list.
   
   

   

Create Roles

1. Go to Settings on the top left menu and then click on Roles in the USERS AND AUTHENTICATION group.
   
   

   

   
   
   
2. Click New Role button in upper right corner.
   
   

   

   
   
   
3. Create a role in Splunk according to the HIAB Integration Mode you want to use.

   1. Create a role in Splunk and specify the following parameter for a TCP Integration. See Mode option in the HIAB Integrations Settings table.
      
      

      Parameter	Value
      Name	hiab-tcp-indexer
      Capabilities	edit_tcp
      Indexes	hiab

      
      

      

      
      
      
      

      

      
      
      
      

      The role is only granted access to indexes defined here.

      

4. Click Create.

Create Users

In this section we will add a new user (account) for the HIAB. This user will be given the role that was created in the previous step, this effectively limits the capabilities of this account to pushing data to the specified index.

1. Go to Settings on the top left menu and then click on Users in the USERS AND AUTHENTICATION group.
2. Click New User button in the upper right corner.
   
   

   

   
   
   
3. Click Add new on the user row:
   • Name: HIAB
   • Assign roles: hiab-indexer
     
     

     

4. Click Save.

Procedure in HIAB/OUTSCAN 

1. In the HIAB click the Main Menu > Settings > Integration
2. Select the Splunk tab in the Integrations Settings window.
   
   

   

   
   
   
3. Fill in the Integration settings as shown in the HIAB Integrations Settings table.
4. Click the Save button.
5. Click the Status button in the lower right corner to test the setup to Splunk.
   
   

   

   
   
   

The HIAB should now show pass, indicating a successful setup of the HIAB Integration with Splunk.

Splunk Integration - HTTP Event Collector

Create an HTTP Event Collector

1. Go to Settings on the top left menu.
2. Click on Data Inputs in the DATA group.
   
   

   

   
   
   
3. Click HTTP Event Collector in the Type row of the table.
   
   

   

   
   
   
4. Click the Global Settings button on the top right of the menu.
   
   

   

   
   
   

   

   
   
   
5. Click the Enabled button.
6. Select the Enable SSL checkbox.
7. Enter the HTTP port number.
8. Click the Save button.
9. Click the New Token button on the top right to create the token.
   
   

   

   
   
   
10. Select the HIAB index that was created in Creating Index section at the beginning of the configuration.
    
    

    

    
    
    
11. Click the Review button to Review the configuration.
    
    

    

    
    
    
12. Then click on the Submit button.
13. Do not forget to register the Token Value given after submitting the configuration.
    
    

    

Procedure in HIAB/OUTSCAN

1. In the HIAB or OUTSCAN click the Main Menu > Settings > Integration.
2. Select the Splunk tab in the Integrations Settings window.
   
   

   

   
   
   
3. Fill in the Integration settings as shown in the Integrations Settings table.
   

   
   Integrations Settings

   Option	Value
   Enabled	Click on this field to enable the Splunk feature.
   Mode	HTTP Event Collector - When selected, username and password is not available. TCP - When selected, username and password fields are enabled.
   Host	Provide your Splunk server name.
   Port	Provide the management port that Splunk is using to communicate.  Default: 8088 and 8089 Port 443 is also available.
   Username	Provide username to authenticate against Splunk server.
   Password	Provide password to authenticate against Splunk server.
   Token	HTTP Event Collector (HEC) tokens. HEC tokens are sent in the headers of the sent data packets to authenticate them with Splunk.
   Index	If the user enters an index that does not exists, it will create a new one. All events will be prefixed with the index name.
   Send audit log (HIAB only)	Check this box to send audit log entries to Splunk.

4. Click the Save button.
5. Click the Status button in the lower right corner to test the setup to Splunk.

The HIAB should now show pass, indicating a successful setup of the HIAB Integration with Splunk.

The newly setup account only has access through the API and is only able to interact with the index, restricting its access.

Event Notifications for Splunk

Common Information Model

The Splunk CIM is a shared semantic model that focuses on extracting value from data. The CIM is an add-on that contains a collection of data models, documentation, and tools that support the consistent, normalized treatment of data for maximum efficiency at search time.

Tip

You can now choose to send notifications related to Findings only in CIM format.

For settings, see Event Notification Module. 

References

Splunk Documentation

• https://docs.splunk.com/Documentation/Splunk/latest/Data/UsetheHTTPEventCollector
• http://dev.splunk.com/view/event-collector/SP-CAAAE7F
• https://docs.splunk.com/Documentation/CIM/4.13.0/User/Overview

Related Articles

_Copyright

_{© 2024 Outpost24® All rights reserved. This document may only be redistributed unedited and unaltered. This document may be cited and referenced only if clearly crediting Outpost24® and this document as the source. Any other reproduction and redistribution in print or electronically is strictly prohibited without explicit permission.}

_Trademark

_{Outpost24® and OUTSCAN™ are trademarks of Outpost24® and its affiliated companies. All other brand names, product names or trademarks belong to their respective owners.}