Splunk® App for PCI Compliance

Installation and Configuration Manual

Download manual as PDF

This documentation does not apply to the most recent version of PCI. Click here for the latest version.
Download topic as PDF

Install the app manually

You can manually install the Splunk App for PCI Compliance. To install the app using the PCI Install App, see Install the Splunk App for PCI Compliance in this manual.

Before you install the app, make sure you have satisfied the install prerequisites for both Splunk Enterprise and the Splunk App for PCI compliance.

Step 1. Download the app and unzip the files

Download the PCI Installer App (SplunkPCIComplianceSuiteInstaller.spl) from Splunkbase. You can un-archive this file to retrieve the Splunk App for PCI Compliance contents inside it.

You can un-archive the file using the Unix 'tar' command or using an archive utility that handles .tar filetypes. The spl file extracts to the PCI install App folder "SplunkPCIComplianceSuiteInstaller."

The actual PCI App contents are contained under:
SplunkPCIComplianceSuiteInstaller/default/src/splunk_app_pci-2.0.x-xxxxxx.zip

Unzip these Splunk App for PCI Compliance files into a local temporary directory (<temp-dir>).

Step 2. Install the app

If your Splunk instance is currently running, ensure that it is stopped before proceeding.

Copy files from the <temp-dir> into your $SPLUNK_HOME/ directories. In the <temp-dir>, find the following sub-directories and copy them as indicated:

  • For apps: Copy the SplunkPCIComplianceSuite, DA-PCI-*, SA-* and selected Technology Add-ons from <temp-dir>/etc/apps into $SPLUNK_HOME/etc/apps.
  • For deployment-apps: You can either copy over the entire contents of <temp-dir>/etc/deployment-apps to $SPLUNK_HOME/etc/deployment-apps, or select only the deployment apps you use in your environment.

Apps are the domain add-ons, supporting add-ons, technology add-ons, and the other parts of the Splunk App for PCI Compliance solution.

A deployment app is a set of deployment content, including configuration files, deployed as a unit to clients of a server class. A deployment app might consist of a single configuration file, or it can consist of many files.

The Splunk App for PCI Compliance requires the Sideview Utils app to function. Download this app from Splunk Apps and copy it to $SPLUNK_HOME/etc/apps to install it.

After installing, the deployment apps can be found at $SPLUNK_HOME/etc/apps/SplunkPCIComplianceInstaller/src/etc/.

For guidance on installing and configuring deployment apps, see "Using the Splunk deployment server" in this manual and "About deployment server" in Updating Splunk Enterprise Instances.

Step 3. Start Splunk Enterprise

After you copy the contents of <temp-dir>/etc/apps and <temp-dir>/etc/deployment-apps, start your configured version of Splunk Enterprise.

  $SPLUNK_HOME/bin/splunk start

Open a web browser, navigate to Splunk Web (https://localhost:8000), and log in. The first time you log in, the user name is admin and the password is changeme.

Note: The Splunk App for PCI Compliance enables SSL, so you need to change the protocol in your web browser to "HTTPS" (for example, https://localhost:8000).

Step 4. Set up the app

Click the Splunk Home tab in Splunk Web.

Click Setup next to PCI Compliance. Verify the settings on the Splunk App for PCI Compliance Setup page.

Pci-pci compliance setup page.png

Verify that Sideview Utils is enabled. See "Platform and hardware requirements" and "minimum recommended hardware requirements" in this manual for information about capacity planning.

Click Save. You must restart Splunk Enterprise for the configuration changes to be applied.

If you click PCI Compliance without clicking Setup first, the App configuration message appears.

Pci-config error msg.png

Click Continue to app setup page to go to the PCI Compliance Setup page. Verify the settings and click Save.

On the Splunk Web Home page, click PCI Compliance.

Step 5. Add data

With the Splunk App for PCI Compliance installed, review the options for how to get the data in:

  • You can use data from pre-configured technology add-ons (for example TA-bluecoat). See "Using technology add-ons" in this manual for information on using pre-configured technology add-ons supplied by Splunk software.
  • You can also create your own custom technology add-ons to capture specific data in your environment. See the Data Source Integration Manual for information on building your own Technology Add-on.

See "Data management overview" in this manual for more information.

Note: For testing, the sample PCI data generated by the SA-Eventgen add-on can be used. The SA-Eventgen can be enabled by setting disabled=0 in inputs.conf file or by going to Manager > Apps. Click Enable next to the app.

Step 6. Configure the app

To configure the app, click Configure in the menu bar from anywhere in the app.

Pci-configure.png

Click App Settings to begin configuring the app. See "Steps to configure" in this manual to begin setting up the Splunk App for PCI Compliance for your cardholder data environment.

PREVIOUS
Install the Splunk App for PCI Compliance
  NEXT
Install technology add-ons

This documentation applies to the following versions of Splunk® App for PCI Compliance: 2.1.1


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters