Data requirements for the Content Pack for Monitoring Phantom as a Service
The Content Pack for Monitoring Phantom as a Service requires that you install the Splunk Add-on for Unix and Linux and configure it to collect and send data to your deployment.
Step 1: Install a universal forwarder on each Phantom server
The universal forwarder collects data from a data source or another forwarder and sends it to a forwarder or a Splunk deployment. You must install a universal forwarder on each Phantom server you plan to monitor.
- Install a universal forwarder on each Phantom server you plan to monitor. For instructions, see Install the universal forwarder software.
Because each Phantom server already includes an embedded copy of Splunk Enterprise, the universal forwarder detects a port conflict during the initial startup. This can adversely affect automated installation scripts. When you install manually, you're prompted to enter an alternate port. The alternate port is stored in
$SPLUNK_HOME/etc/system/local/web.conf
.Checking prerequisites... Checking mgmt port [8089]: not available ERROR: mgmt port [8089] - port is already bound. Splunk needs to use this port. Would you like to change ports? [y/n]: y Enter a new mgmt port: 8189 Setting mgmt to port: 8189 The server's splunkd port has been changed. Checking mgmt port [8189]: open
- Configure forwarding on each Phantom server with
outputs.conf
. For more information, see Configure forwarding with outputs.conf.
See About forwarding and receiving in the Splunk Enterprise Forwarding Data manual to learn how to install and configure universal forwarders.
Step 2: Deploy Splunk Add-on for Phantom to indexing and search head tiers
The the Splunk Add-on for Phantom version 1.0.2 from Splunkbase. The add-on contains the following configurations that you must install on the indexing tier and search head:
- Search time extractions and macros in props.conf and macros.conf
- Index time extractions and linebreaking rules in props.conf
You need to create a Splunk index for Phantom data before the universal forwarder can send data to them. On your indexer tier, create an index called phantom
. For more information about creating indexes, see Create custom indexes in the Splunk Enterprise Managing Indexers and Clusters of Indexers manual.
Install the Splunk Add-on for Phantom to the following locations:
- The ITSI search head
- Indexers
- Any heavy forwarders that the Phantom server's universal forwarders might send data to
- (Optional) Universal forwarders that you installed in step 1. See the next section for instructions to configure Phantom inputs for universal forwarders.
Step 3: Configure Phantom inputs for universal forwarders
After you install the Splunk Add-on for Phantom on the universal forwarders on your Phantom instances, make the following changes to enable data collection:
- Copy the contents of the
inputs.conf.template
file from $SPLUNK_HOME/etc/apps/Splunk_TA_Phantom/default/ to $SPLUNK_HOME/etc/apps/Splunk_TA_Phantom/local/inputs.conf. - Set the appropriate index if it's different than the default phantom index
- Optionally, disable any inputs you don't want to collect
Alternatively, if you don't want to deploy the Splunk Add-on for Phantom to your universal forwarders, you can create your own inputs.conf file using the inputs.conf.template stanzas from the add-on and placing the resulting inputs.conf file in an appropriate location on your universal forwarder. See the following example file:
Sample inputs.conf
# Phantom Daemon Logs [monitor:///var/log/phantom/clusterd.log] index = phantom sourcetype = phantom:daemon disabled = false [monitor:///var/log/phantom/actiond.log] index = <name> sourcetype = phantom:daemon disabled = false [monitor:///var/log/phantom/decided.log] index = <name> sourcetype = phantom:daemon disabled = false [monitor:///var/log/phantom/ingestd.log] index = <name> sourcetype = phantom:daemon:ingestd disabled = false [monitor:///var/log/phantom/watchdogd.log] index = <name> sourcetype = phantom:daemon disabled = false [monitor:///var/log/phantom/workflowd.log] index = <name> sourcetype = phantom:daemon disabled = false # supervisord has different format then other logs [monitor:///var/log/phantom/supervisord.log] index = <name> sourcetype = phantom:supervisord disabled = false [monitor:///var/log/phantom/wsgi.log] index = <name> sourcetype = phantom:wsgi disabled = false # Other Phantom Logs [monitor:///var/log/phantom/*.log] index = <name> sourcetype = phantom:logs blacklist = (actiond\.log|decided\.log|ingestd\.log|watchdogd\.log|workflowd\.log|supervisord\.log|wsgi\.log) disabled = false # nginx web server - use nginx app on splunkbase for parsing https://splunkbase.splunk.com/app/3258/ [monitor:///var/log/nginx/access.log] index = <name> sourcetype = nginx:plus:access disabled = false [monitor:///var/log/nginx/error.log] index = <name> sourcetype = nginx:plus:error disabled = false # Postgres [monitor:///opt/phantom/data/db/pg_log/*] index = <name> sourcetype = postgres disabled = false # Auditd - use TA-auditd for parsing https://splunkbase.splunk.com/app/4232/ [monitor:///var/log/audit/audit.log] index = <name> sourcetype = linux:audit disabled = false
Step 4: Install the Phantom Remote Search add-on
The Phantom Remote Search add-on defines indexes and roles used by Phantom when Phantom is configured to use an external Splunk instance for search data. The Phantom Remote Search add-on is required in order to use the Content Pack for Monitoring Phantom as a Service.
The add-on creates various Phantom indexes using the format phantom_<name>
. For example, it creates the index phantom_app_run
which ITSI KPIs use.
Install the Phantom Remote Search add-on to the following locations:
- Search heads
- Indexers
Step 5: Install and configure the Content Pack for Monitoring Unix and Linux
The monitoring approaches in this content pack leverage the Splunk Add-on for Unix and Linux on the universal forwarder. This content pack also requires the full installation and configuration of the Content Pack for Monitoring Unix and Linux.
Before continuing to the next section, complete each of the following installation steps:
- Deploy the Splunk Add-on for Unix and Linux to indexers and your ITSI search head. For instructions, see Data requirements for the Content Pack for Monitoring Unix and Linux.
- Install and configure the Content Pack for Monitoring Unix and Linux. For instructions, see Install and configure the Content Pack for Monitoring Unix and Linux.
- Deploy the Splunk Add-on for Unix and Linux to the universal forwarder on each Phantom server. Configure an
inputs.conf
file with the recommended settings for the content pack. For instructions, see Data requirements for the Content Pack for Monitoring Unix and Linux.
Next steps
Now that you've completed the data collection requirements, continue to Install and configure the Content Pack for Monitoring Phantom as a Service
Release notes for the Content Pack for Monitoring Phantom as a Service | Install and configure the Content Pack for Monitoring Phantom as a Service |
This documentation applies to the following versions of Content Pack for Monitoring Phantom as a Service: 1.0.1
Feedback submitted, thanks!