Splunk® App for PCI Compliance

Release Notes

This documentation does not apply to the most recent version of Splunk® App for PCI Compliance. For documentation on the most recent version, go to the latest release.

Special Notes

This topic contains additional information for using the Splunk App for PCI Compliance.

Memory Usage

Some real-time searches have been discovered to trigger large amounts of memory consumption on Splunk versions 4.2.5 and 4.3. Splunk version 4.3.2 or higher is recommended.

CSV file format issues with Microsoft Excel on OS X

If you use Mac Excel to create and save a CSV file, the file will not upload to the Splunk App for PCI Compliance assets table, identity table, or other list or lookup. The Mac version of Excel does not save the file with the proper CSV line endings, which must use UNIX line endings.
Workaround: Open file in vi (or other text editor) and run the command: 

  %s/^M/\r/g

Use ctrl-v ctrl-m to input the ^M (line endings).

Or you can use the popular dos2unix utility to correct line endings in a file produced on Windows or OS/X.

Upgrades: Re-enable the app

If for any reason, you begin an upgrade and then decide not to complete it, and want to continue to use the existing version of the Splunk App for PCI Compliance, the app must be re-enabled before it can be used.

All of the following apps need to be re-enabled using the Splunk Manager to fully re-enable the Splunk App for PCI Compliance:

  • SA-*
  • DA-PCI-*
  • SplunkPCIComplianceSuite

To do this:

  1. Go to Manager > Apps.
  2. Click Enable next to each of these apps.
  3. Restart Splunk.

Note: Because the SA-* and DA-PCI* apps do not contain UI elements, no Enable button shows up on the Splunk Web Home page.

SA-AuditAndDataProtection is among the apps disabled/enabled through the steps of the upgrade process. If SA-AuditAndDataProtection is in the disabled state, Splunk Web is accessed via HTTP; if it is enabled, Splunk Web is accessed via HTTPS.

After re-enabling SA-AuditAndDataProtection (and the other apps) and restarting Splunk, navigate to Splunk Web via HTTPS.

Splunk Add-on for Check Point OPSEC LEA

TA-checkpoint, the technology add-on for Check Point packaged with the Splunk App for PCI Compliance, is not compatible with the new Splunk Add-on for Check Point OPSEC LEA.

If you are using TA-checkpoint (the existing technology add-on), remove it and replace it with the new add-on (Splunk Add-on for Check Point OPSEC LEA (Solaris or Linux)'). Plan accordingly and migrate to the new add-on as part of your upgrade strategy.

Note: The Splunk_TA_opsec add-on does not extract a command field. To extract this field, augment the `network_change` macro using a local override. To do this, add this stanza to the $SPLUNK_HOME/etc/apps/SA-NetworkProtection/local/macros.conf file: 

## SA-NetworkProtection/local/macros.conf
[network_change]
definition = tag=network tag=modify | eval command=if(sourcetype=="opsec_audit",Operation." 
".ObjectName,command) | fillnull value=unknown dvc,action,user,command
Last modified on 28 February, 2014
Change Log   How to get support and find more information about Splunk

This documentation applies to the following versions of Splunk® App for PCI Compliance: 2.1.1

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters