Using a dedicated index for PCI data

Enable and use the pci index

The Splunk App for PCI Compliance ships with a default "pci" index configuration. The index is predefined and only requires that you configure your Splunk forwarders in the CDE to send data to the pci index instead of the default or other indexes. The "pci" index is pre-enabled on the search head, but needs to be deployed for use on all indexers in a distributed deployment. This section describes how to configure the indexers and forwarders to use the "pci" index.

Using an index separate from the default to store PCI data provides the following benefits:

• Improves overall performance of the saved searches, summaries, and automated lookups by preventing non-PCI data from being analyzed unnecessarily.
• Applies role-based access controls to control who can see the PCI data and use the Splunk App for PCI Compliance.
• Allows for setting unique retention requirements for the PCI data.
• Limits the scope of the Splunk App for PCI Compliance to report and alert on only the data that is relevant to the PCI CDE.

Configure the Search Head

The search head that hosts the Splunk App for PCI Compliance is configured to reference the 'pci' index for auto-population of the index name. The app ships with the necessary configuration if you use the "pci" index. The configuration is found in the /default/indexes.conf within the SplunkPCIComplianceSuite app.

If PCI data is located in an index other than "main" or "pci", you need to add the following configuration to the /local/indexes.conf file in the SplunkPCIComplianceSuite app:

## <Other> Custom PCI Index
[custom_pci_index]
homePath   = $SPLUNK_DB/custom_pci_index/db
coldPath   = $SPLUNK_DB/custom_pci_index/colddb
thawedPath = $SPLUNK_DB/custom_pci_index/thaweddb

Configure the Indexers

The Splunk App for PCI Compliance includes a predefined deployment app that contains the "pci" index definition that needs to be distributed to the indexers before the index can be used to store data. The index definition is contained within the /default/indexes.conf file within the SA-ForIndexers deployment app.

To define the "pci" index on the indexer, take the SA-ForIndexers deployment app, located in the ../etc/deployment-apps directory of the distribution package and deploy it to the indexers by using the deployment server, an alternate distribution tool, or do it manually.

If PCI data is located in an index other than "main" or "pci", you need to add the following configuration to the /local/indexes.conf file in the SA-ForIndexers deployment app before distributing it to the indexers:

## <Other> Custom PCI Index
[custom_pci_index]
homePath   = $SPLUNK_DB/custom_pci_index/db
coldPath   = $SPLUNK_DB/custom_pci_index/colddb
thawedPath = $SPLUNK_DB/custom_pci_index/thaweddb

The same index configuration information should exist in the indexes.conf file in the Splunk App for PCI Compliance.

Note: The index configuration should for both the "pci" index and other indexes where PCI data exists, be defined with the same configuration on both the search head and indexers.

Configure the forwarders

After the "pci" index is defined on the search head and indexers, configure your Splunk forwarders to send data from the PCI assets to the "pci" index on the indexers.

The configuration needed to tell the forwarders to send data to the "pci" index (or other index of choice) instead of the "main" index, which is the default, needs to be in the props.conf and the transforms.conf files within a technology add-on on the forwarders.

Note: Use an existing technology add-on or create a new technology add-on on the deployment server and distribute the add-on to the forwarder.

Route all events from a source

To route all data from one source to the "pci" Index, changes need to be made on the Splunk Enterprise node that are responsible for collecting the data. Typically, the node collecting data has a forwarder installation.

1. If the forwarder's services are running, stop them. A restart is required for changes to inputs.conf.

  $SPLUNK_HOME/bin/splunk stop

2. Edit the $SPLUNK_HOME/etc/system/local/inputs.conf file. If the local version of the file does not exist, create the $SPLUNK_HOME/etc/system/local/inputs.conf file and make the changes to the /local/ file.

Add the following stanza to $SPLUNK_HOME/etc/system/local/inputs.conf:

 [monitor:///<your_datasource>]
 disabled = false
 index = <index_name>

For example, if your data source is nessus, the stanza would look like this:

 [monitor:///nessus]
 disabled = false
 index = pci

3. Start the forwarder's services.

  $SPLUNK_HOME/bin/splunk start

For more information about routing data to multiple indexes, see "Set up multiple indexes" in Managing indexers and clusters of indexers.

Route specific events from a source

Always set the destination index at input-time, if possible, using a forwarder as discussed in the example. You can route a specific source events into the 'pci' index after the source has been sent by a forwarder.

1. Edit the props.conf file on the indexer.

Add the following stanza to /local/props.conf file:

  [<spec>]
  TRANSFORMS-<class_name> = <transforms_name>

For example, to route the cisco_ips_syslog data to the "pci" index, add:

  [cisco_ips_syslog]
  TRANSFORMS-cisco_ips_syslog = cisco_ips_syslogPCI

2. Edit the transforms.conf file. In transforms.conf, add this stanza:

  [<transforms_name>]
  REGEX = <your_custom_regex_matching_events>
  DEST_KEY = _MetaData:Index
  FORMAT = <index_name>

The example looks like this:

  [cisco_ips_syslogPCI]
  REGEX = <your_custom_regex_matching_events>
  DEST_KEY = _MetaData:Index
  FORMAT = pci

3. Restart the indexer's services.

Make the index searchable

After the Splunk App for PCI Compliance search head and indexers are configured to know about the "pci" index and the forwarders are sending data to the index, update the user roles on the search head. The "admin" user and users of the Splunk App for PCI Compliance need to include the "pci" index as a default search index.

Admin user

The admin user is responsible for running the saved searches on the PCI data that drive the Splunk App for PCI Compliance. To do this, configure the "admin" user to know that the "pci" index needs to be searched by default.

The Splunk App for PCI Compliance includes the "pci_admin" role that is preconfigured to include the "pci" index as a default search index.

1. Click on the Manager link in the upper right of the Splunk UI.

2. Click the Access Controls link under Users and Authentication.

3. Click the Users option.

4. Select the admin user from the list of the users.

5. Find the Assign to Roles section and move the pci_admin role from the Available Roles to the Selected Roles section.

6. Save the changes.

You can confirm that the "pci" index is assigned to the "pci_admin" role or add another defined index to the "pci_admin role.

1. Click the Manager link in the upper right of the Splunk UI.

2. Click the Access Controls link under Users and Authentication.

3. Click the Roles option.

4. Select the pci_admin role from the list of roles.

5. Find the Indexes searched by default section and verify that the "pci" index is noted under the Selected Indexes section.

6. Save the changes.

If you configured the environment with a different index or many indexes where the PCI data resides, add those indexes to the "pci_admin" role setting.

If the other indexes are not added to the "pci_admin" role, the Splunk App for PCI Compliance will not know that those indexes exist and they will not work.

Limit user access to the pci index

By default, all user roles have the ability to access the pci index. If this index is to be accessible only to users in a particular role, modify the "Selected search indexes" in the Manager to specify explicit indexes. For example, if this index is to be accessible only to users in pci_* roles, modify the user role to restrict the indexes the role can access.

See "Configure user roles" in the Installation and Configuration Manual.