Content Pack for SOAR System Logs

Content Pack for SOAR System Logs

The Content Pack for SOAR System Logs is a replacement for the Content Pack for Monitoring Phantom as a Service.

Satisfy requirements for configuring SOAR System Logs

Follow these step-by-step instructions to prepare your system for the SOAR system logs.

Before you begin

Configure Splunk SOAR (On-premises) with JSON log format by issuing the following command from the Splunk SOAR console:
$phenv set_preference --logging-format json

Step 1: Install a universal forwarder on each Splunk SOAR server

The universal forwarder collects data from a data source or another forwarder and sends it to a forwarder or a Splunk deployment. You must install a universal forwarder on each Splunk SOAR server you plan to monitor.

  1. Install a universal forwarder on each Splunk SOAR server you plan to monitor. For instructions, see Install the universal forwarder software.

    Because each Splunk SOAR server already includes an embedded copy of Splunk Enterprise, the universal forwarder might detect a port conflict during the initial startup. This can adversely affect automated installation scripts. When you install manually, you might be prompted to enter an alternate port. The alternate port is stored in $SPLUNK_HOME/etc/system/local/web.conf.

    Checking prerequisites...
            Checking mgmt port [8089]: not available
    ERROR: mgmt port [8089] - port is already bound.  Splunk needs to use this port.
    Would you like to change ports? [y/n]: y
    Enter a new mgmt port: 8189
    Setting mgmt to port: 8189
    The server's splunkd port has been changed.
            Checking mgmt port [8189]: open
    
  2. Configure forwarding on each Splunk SOAR server with outputs.conf. For more information, see Configure forwarders with outputs.conf.

See About forwarding and receiving in the Splunk Enterprise Forwarding Data manual to learn how to install and configure universal forwarders.

Step 2: Deploy Splunk SOAR system logs to indexing and search head tiers

Splunk SOAR contains the following configurations that you must install on the indexing tier and search head:

  • Search time extractions and macros in props.conf and macros.conf
  • Index time extractions and linebreaking rules in props.conf

Create a Splunk index for Splunk SOAR data before the universal forwarder can send data. Navigate to the Configurations tab, open the Create indexes tab, and then select the Create Indexes button.

Install the Splunk App for SOAR to the following locations:

  • Any search head
  • Indexers
  • Any heavy forwarders that the Splunk SOAR server's universal forwarders might send data to
  • Universal forwarders that you installed in step 1. See the next section for instructions to configure Splunk SOAR inputs for universal forwarders.

Step 3: Configure Splunk SOAR inputs for universal forwarders

After you install the Splunk App for SOAR on the universal forwarders on your Splunk SOAR instances, make the following changes to enable data collection:

  1. Copy the contents of the inputs.conf file from $SPLUNK_HOME/etc/apps/splunk_app_soar/default/ to $SPLUNK_HOME/etc/apps/splunk_app_soar/local/inputs.conf.
  2. Set the appropriate index if it's different than the default splunk_app_soar index
  3. Optionally, disable any inputs you don't want to collect

Alternatively, if you don't want to deploy the Splunk App for SOAR to your universal forwarders, you can create your own inputs.conf file using the inputs.conf stanzas from the SOAR system logs and placing the resulting inputs.conf file in an appropriate location on your universal forwarder. See the following example file:

Sample inputs.conf

# Phantom Daemon Logs
[monitor:///opt/phantom/var/log/phantom/ingestd.log]
index = splunk_app_soar
sourcetype = splunk_app_soar:daemon
disabled = false

[monitor:///opt/phantom/var/log/phantom/decided.log]
index = splunk_app_soar
sourcetype = splunk_app_soar:daemon
disabled = false

[monitor:///opt/phantom/var/log/phantom/workflowd.log]
index = splunk_app_soar
sourcetype = splunk_app_soar:daemon
disabled = false

[monitor:///opt/phantom/var/log/phantom/actiond.log]
index = splunk_app_soar
sourcetype = splunk_app_soar:daemon
disabled = false

[monitor:///opt/phantom/var/log/phantom/wsgi.log]
index = splunk_app_soar
sourcetype = splunk_app_soar:daemon
#sourcetype = splunk_app_soar:wsgi
disabled = false

[monitor:///opt/phantom/var/log/phantom/watchdogd.log]
index = splunk_app_soar
sourcetype = splunk_app_soar:daemon
disabled = false

[monitor:///opt/phantom/var/log/phantom/proxyd.log]
index = splunk_app_soar
sourcetype = splunk_app_soar:daemon
disabled = false

[monitor:///opt/phantom/var/log/phantom/spawn.log]
index = splunk_app_soar
sourcetype = splunk_app_soar:daemon
disabled = false

############################################################################
# Postgres - log location is the same regardless of Splunk-SOAR type
[monitor:///opt/phantom/data/db/pg_log/*]
index = splunk_app_soar
sourcetype = splunk_app_soar:postgres
disabled = false

############################################################################
# nginx web server - use nginx app on splunkbase for parsing https://splunkbase.splunk.com/app/3258/
[monitor:///opt/phantom/var/log/nginx/access.log]
index = splunk_app_soar
sourcetype = nginx:plus:access
disabled = false

[monitor:///opt/phantom/var/log/nginx/error.log]
index = splunk_app_soar
sourcetype = nginx:plus:error
disabled = false

############################################################################
# Auditd - use TA-auditd for parsing https://splunkbase.splunk.com/app/4232/
[monitor:///var/log/audit/audit.log]
index = splunk_app_soar
sourcetype = linux:audit
disabled = false

############################################################################
#Log files other than Daemon

[monitor:///opt/phantom/var/log/phantom/*log] #some files have no file types defined
index = splunk_app_soar
sourcetype = splunk_app_soar:misc-logs
blacklist = (spawnd\.log|actiond\.log|decided\.log|ingestd\.log|watchdogd\.log|workflowd\.log|wsgi\.log|proxyd\.log|clusterd\.log)
disabled = false

############################################################################
# Cluster only
[monitor:///opt/phantom/var/log/phantom/clusterd.log]
index = splunk_app_soar
sourcetype = splunk_app_soar:cluster
disabled = false

[monitor:///opt/phantom/var/log/phantom/consul-stderr.log]
index = splunk_app_soar
sourcetype = splunk_app_soar:cluster
disabled = false

[monitor:///opt/phantom/var/log/phantom/consul-stdout.log]
index = splunk_app_soar
sourcetype = splunk_app_soar:cluster
disabled = false


#### SOAR Audit ####

[audit]
start_by_shell = false
python.version = python3
sourcetype = soar
interval = 30
start =
disabled = 0

Step 4: Configure the remote search service

The remote search service defines indexes and roles used by Splunk SOAR when it is configured to use an external Splunk Cloud Platform or Enterprise instance for search data. The remote search service is required in order to use the ITSI service.

The remote search creates various Splunk SOAR indexes using the format phantom_<name>. For example, it creates the index phantom_app_run which ITSI KPIs use.

Follow the instructions to Configure remote search at these locations:

  • Search heads
  • Indexers

Step 5: Install and configure the Content Pack for Monitoring Unix and Linux

The monitoring approaches in this content pack leverage the Splunk Add-on for Unix and Linux on the universal forwarder. This content pack also requires the full installation and configuration of the Content Pack for Monitoring Unix and Linux.

Before continuing to the next section, complete each of the following installation steps:

  1. Deploy the Splunk Add-on for Unix and Linux to indexers and your ITSI search head. For instructions, see Data requirements for the Content Pack for Monitoring Unix and Linux.
  2. Install and configure the Content Pack for Monitoring Unix and Linux. For instructions, see Install and configure the Content Pack for Monitoring Unix and Linux.
  3. Deploy the Splunk Add-on for Unix and Linux to the universal forwarder on each Splunk SOAR server. Configure an inputs.conf file with the recommended settings for the content pack. For instructions, see Data requirements for the Content Pack for Monitoring Unix and Linux.

Next steps

Now that you've completed the data collection requirements, continue to Install and configure the Content Pack for SOAR System Logs

Last modified on 21 November, 2022
Release notes for the Content Pack for SOAR System Logs   Install and configure the Content Pack for SOAR System Logs

This documentation applies to the following versions of Content Pack for SOAR System Logs: 1.0.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters