Plan your data inputs
Planning for the data sources influences the overall Splunk Enterprise architecture, the number and placement of Splunk Forwarders, estimated load, and impact on network resources.
The Splunk App for Enterprise Security requires that any data sources comply with the Splunk Common Information Model. The Enterprise Security app is designed to leverage the CIM standardized data models when searching data to populate dashboards and views.
Map add-ons to data sources
The Enterprise Security App provides add-ons that are designed to parse and categorize known data sources and other technologies for CIM compliance.
Note: An add-on provided with the Splunk App for Enterprise Security comes with a README file, located in the root of the add-on folder in
$SPLUNK_HOME/etc/apps/TA-*. The README describes changes needed to configure the add-on for your environment.
For each data source:
- Identify the add-on: Identify the technology and determine the corresponding add-on. The primary sources for add-ons are the "Add-ons provided with Enterprise Security" and the content available on Splunkbase. An add-on must be CIM compliant or be modified to support CIM data schemas. You can also create your own add-ons. See the Data Source Integration Manual for information.
- Install the add-on: Install the add-on on the Splunk App for Enterprise Security search head. Install add-ons that perform index-time processing must also be installed on each indexer, and possibly on the forwarder.
- Configure the server, device, or technology where necessary: You might need to enable logging or data collection for the device or application and/or configure the output for collection by a Splunk instance. Consult the vendor documentation for implementation.
- Customize the add-on where necessary: An add-on might require customization, such as setting the location or source of the data, choosing whether the data is located in a file or in a database, or other unique settings.
- Set up a Splunk data input and confirm the source type settings: The README file includes information about the source type setting associated with the data, and might include customization notes about configuring the input.
Considerations for data inputs
Splunk Enterprise provides tools to ingest data inputs, including many that are specific to a particular application or technology's needs. Depending upon the technology or source being collected, choose the input method based on performance impact, ease of data access, stability, minimizing source latency, and maintainability. You can configure a forwarder to accept data by monitoring files, network ports, Windows data, network wire data, and by running scripted inputs.
- Monitoring files: Deploy a Splunk forwarder on each system hosting the files, and set the source type on the forwarder using an input configuration. If you have a large number of systems with identical files, use the Splunk Enterprise deployment server to set up standardized file inputs across large groups of forwarders.
- Monitoring network ports: Use standard tools such as a syslog server, or create listener ports on a forwarder. Sending multiple network sources to the same port or file complicates source typing. For more information, see "Get data from TCP and UDP ports" in the Getting Data In Manual.
- Monitoring Windows data: A forwarder can obtain information from Windows hosts using a variety of configuration options. See "How to get Windows data into Splunk Enterprise" in the Getting Data In Manual.
- Monitoring network wire data: Splunk Stream supports the capture of real-time wire data. See "About Splunk Stream" in the 'Splunk Stream Installation and Configuration Manual.
- Scripted inputs: Use scripted inputs to get data from an API or other remote data interfaces and message queues. Configure the forwarder to call shell scripts, python scripts, Windows batch files, PowerShell, or any other utility that can format and stream the data that you want to index. You can also write the data polled by any script to a file for direct monitoring by a forwarder. See "Get data from APIs and other remote data interfaces through scripted inputs" in the Getting Data In Manual.
Collect asset and identity information
The Splunk App for Enterprise Security uses an asset and identity correlation system. The Enterprise Security app compares asset and identity information with source events to provide additional data enrichment and context for analysis.
Identify assets and identities
An asset represents any devices and systems in the environment that generate data. An identity can represent a user, credential, or a role used to grant access to a device or system. Determine the repositories that will provide asset and identity data for integration with the Enterprise Security app, and how that data will be accessed.
In a highly regulated network environment, one database or repository might be the only source of information for both assets and identities. However, it is more common to find them spread among many unique repositories, hosted on different technologies, and maintained by many departments. As asset information changes and identities are added and removed, updates should be integrated into the Enterprise Security app as a regular task.
An asset list is a comma-separated value (CSV) lookup table of fields. You can define more than one asset list in the Enterprise Security app, and all asset lists will be merged and correlated to provide information about a specific asset. The asset and identities lists are configured and managed using the Enterprise Security app's "Identity Manager". An asset list does not have to have all fields defined. For a complete list of fields, see "Asset fields" in this manual.
An identities list is a comma-separated value (CSV) lookup table of fields. You can define more than one identities list in the Enterprise Security app, and all identities lists will be merged and correlated to provide information about a specific identity. The asset and identities lists are configured and managed using the Enterprise Security app's "Identity Manager". An identities list does not have to have all fields defined. For a complete list of fields, see "Identities fields" in this manual.
Collection methods for assets and identities
The preferred collection method to provide asset or identities information is through a Splunk app. Splunk Enterprise has a number of add-ons that can be used to automate connections to external systems for data collection. Use an add-on to connect, collect, and return data to the ES app.
You can create additional lists by automating capture from other asset or identity repositories through the use of a custom script or modular input.
Data that has been indexed in Splunk Enterprise is another source of data for asset and identity information. Use the Splunk search language to collect the information, sort and table the fields, and export the results.
Use a manually populated lookup file for asset information collected from static lists, such as data sources that are not directly accessible through the other methods mentioned.
Some examples of asset and identities lists are provided in the table with collection methods.
|Technology||Assets or Identities||Collection methods|
|CMDB||Assets||DB Connect or custom script|
|ServiceNow||Both||ServiceNow App or custom script|
|Asset Discovery||Assets||Asset Discovery App|
Splunk Enterprise deployment planning
This documentation applies to the following versions of Splunk® Enterprise Security: 3.2, 3.2.1, 3.2.2, 3.3.0, 3.3.1, 3.3.2, 3.3.3