Splunk® Enterprise Security

Installation and Upgrade Manual

Acrobat logo Download manual as PDF

This documentation does not apply to the most recent version of ES. Click here for the latest version.
Acrobat logo Download topic as PDF

Plan your data inputs

Splunk Enterprise provides tools to ingest a variety of data inputs, including many that are specific to a particular application or technology's needs. The Splunk App for Enterprise Security requires that any data sources comply with the Splunk Common Information Model (CIM), as the dashboards and views are designed to leverage the CIM standardized data model.

Source planning

Source planning is an important consideration when implementing the Splunk App for Enterprise Security. It influences the overall Splunk Enterprise architecture, the number and placement of Splunk Forwarders, estimated load, and impact on network resources.

Map add-ons to data sources

The Enterprise Security App provides add-ons that are designed to parse and categorize known data sources and other technologies for CIM compliance.

For each data source:

  • Identify the add-on: Identify the technology and determine the corresponding add-on. The primary sources for add-ons are the Splunk Apps site and the add-ons included with the Splunk App for Enterprise Security. An add-on does not have to be Splunk Supported to work with the Enterprise Security app, but it must be CIM compliant or be modified to support CIM models. You can also create your own add-ons; see the Data Source Integration Manual for more information.
  • Install the add-on: The add-on must be installed on the Splunk App for Enterprise Security search head that will display the data. Add-ons that perform index-time processing must also be installed on each indexer, and possibly on the forwarder. Each add-on provided with the Splunk App for Enterprise Security comes with a README file, located in the root of the add-on folder in $SPLUNK_HOME/etc/apps. The README describes changes needed to configure the add-on for your environment.
  • Configure the server, device, or technology where necessary: In some cases, you may need to enable logging or data collection for the device or application and/or configure the output for collection by a Splunk instance. Consult the vendor documentation for implementation details.
  • Customize the add-on where necessary: An add-on may require customization, such as setting the location or source of the data, choosing whether the data is located in a file or in a database, or other unique settings. Each add-on provided with the Splunk App for Enterprise Security comes with a README file, located in the root of the add-on folder in $SPLUNK_HOME/etc/apps. The README describes changes needed to configure the add-on for your environment.
  • Set up a Splunk data input and confirm the source type settings: Each add-on provided with the Splunk App for Enterprise Security comes with a README file, located in the root of the add-on folder in $SPLUNK_HOME/etc/apps. The README file also includes information about the source type setting associated with the data, and may include customization notes about configuring the input.

Considerations for data inputs

Splunk recommends the use of Forwarders for data collection. Depending upon the technology or source being collected, choose the best input method based on performance, performance impact, ease of access, stability, and maintainability. A Splunk Forwarder can be configured to accept data by - monitoring files, monitoring network ports, monitoring Windows data, and by running scripted inputs.

  • Monitoring files: The best way to implement file monitoring is to deploy a Splunk forwarder on each system hosting the files, and set the source type on the forwarder using an input configuration. If you have a large number of systems with identical files, you can use the Splunk Enterprise deployment server to set up standardized file inputs across large groups of forwarders.
  • Monitoring network ports: Monitoring network ports can be done using standard tools such as a syslog server, or can be done by creating listener ports on a Splunk Forwarder. Always be aware of the source typing requirements before sending multiple network sources to the same port or file. See "Getting data from TCP and UDP ports" in the Getting Data In Manual for more information.
  • Scripted inputs: Use scripted inputs to get data from an application program interfaces (API) or other remote data interfaces and message queues. A Splunk Forwarder can be configured to use shell scripts, python scripts, Windows batch files, PowerShell, or any other utility that can format and stream the data that you want to index. You can also write the data polled by any script to a file for direct monitoring by a Splunk Forwarder.

Collect asset and identity information

The Splunk App for Enterprise Security uses an asset and identity correlation system. The Enterprise Security app compares asset and identity information with source events to provide data enrichment and context for analysis.

Identify assets and identities

An asset represents any devices and systems in the environment that generate data. An identity can represent a user, credential, or a role used to grant access to a device or system. It is important to determine the repositories that will provide asset and identity data for integration with the Enterprise Security app, and how that data will be accessed. In a highly regulated network environment there may be one database or repository that is the only source of information for both assets and identities. However, it is more common to find them spread among many unique repositories, hosted on different technologies, and maintained by many departments. And as asset information changes and identities are added and removed, updates should be integrated into the Enterprise Security app as a regular, recurring task.

Asset lists

Each asset list is a comma-separated value (CSV) lookup table of fields. There can be more than one asset list defined in the Enterprise Security app, and all asset lists will be merged and correlated to provide as much information about a specific asset as possible. The asset and identities lists are configured and managed using the Enterprise Security app's Identity Manger. An asset list does not have to have all fields defined. See the "Asset fields" topic in this manual for a complete list of fields.

Identities lists

Each identities list is a comma-separated value (CSV) lookup table of fields. There can be more than one identities list defined in the Enterprise Security app, and all identities lists will be merged and correlated to provide as much information about a specific identity as possible. The asset and identities lists are configured and managed using the Enterprise Security app's Identity Manger. An identities list does not have to have all fields defined. See the "Identities fields" topic in this manual for a complete list of fields.

Collection methods for assets and identities

  • The preferred collection method would utilize a Splunk app to connect, collect, and return asset or identities information back to the Enterprise Security app. Splunk Enterprise has a number of add-ons that can be used to automate connections to external systems for data collection.
  • You can create additional lists by automating capture from other asset or identities repositories through the use of a custom script or modular input.
  • Additional lists can be created through data that has been indexed in Splunk Enterprise by using the search language to return the fields from a source and exporting the results.
  • Use a manually populated lookup file for asset information collected from static lists, such as data sources that are not directly accessible through the other methods mentioned.

Some examples of asset and identities lists are provided below with recommended collection methods:

Technology Assets or Identities Collection methods
Active Directory Both SA-ldapsearch
LDAP Both SA-ldapsearch
CMDB Assets DB Connect or custom script
ServiceNow Both ServiceNow App or custom script
Asset Discovery Assets Asset Discovery App
Peoplesoft Identities Custom script
Last modified on 05 May, 2014
PREVIOUS
Hardware requirements
  NEXT
Add-ons

This documentation applies to the following versions of Splunk® Enterprise Security: 3.0, 3.0.1


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters