Using technology add-ons
This topic provides instruction on using predefined technology add-on feeds to gather data from common compliance data sources.
Normalize data at search time using maps
To derive information from the types of data monitored in your cardholder data environment, Splunk software parses, indexes, and maps data so that it can be used by apps in searches, views, and reports. The data is "normalized" by tagging and mapping it to fields in a consistent way.
For example, one firewall add-on might report an incident as a "failed attempt" while another one might report an incident as "unsuccessful". When the data is normalized, it is mapped to a common field such as "failed". This field can be used as part of searches, filters, views, reports, and so on. Additional mapping and search-time information, such as correlating asset information with events, is provided by technology add-ons.
Technology add-ons and data inputs
The Splunk App for PCI Compliance data inputs are closely connected with technology add-ons, mapping data for use in the app. Use Apps > Manage Apps to configure or add technology add-ons to your configuration.
- Click Apps > Manage Apps.
- Click Edit properties for the app you want to configure.
- Configure the app and click Save.
You can also select one of the other available options to find more apps or install an app from a file.
For each data source:
- Identify the technology add-on: Identify the technology and determine the corresponding technology add-on. If the Splunk App for PCI Compliance does not ship with out-of-the-box support for your type of data or data source, you might be able to find an add-on on Splunkbase. You can also create your own add-ons.
- Customize the technology add-on where necessary: Each technology add-on provided with the Splunk App for PCI Compliance comes with a README file, located in the root of the add-on folder in
$SPLUNK_HOME/etc/apps. The README details any changes you need to make to the add-on to configure it for your deployment. For example, you might need to specify the location or source of the data, choose whether the data is located in a file or in a database, and so on.
- Install the technology add-on: You must install the technology add-on on each search head that handles the data. You must also install technology add-ons that perform index-time processing on each indexer and forwarder. If technology add-ons exist as part of your Splunk Enterprise Security 4.x.x installation, they are shared with Splunk App for PCI Compliance 3.x.x.
- Configure the server, device, or technology where necessary: In some cases, you might need to enable logging or data collection for the device or application and/or configure the output for collection by Splunk software. Consult the documentation for that technology for details.
- Set up a Splunk data input and set the source type where necessary: The Splunk App for PCI Compliance supports all Splunk data input types, including network inputs, file monitoring, and scripted inputs. The README file in the technology add-on directory describes which input types are supported for this particular technology. The README file also includes the source type associated with the data and tells you whether or not you need to explicitly specify the source type when you set up the data input.
Automated conversion of ipv4 long to dotted notation
You might have several log sources that report IP addresses in their long format. These can be automatically converted to dotted notation for reporting purposes.
This data can also be returned based on dotted notation when searching. For instance, if you want events with "src_long=0" to be returned when you search "src_ip=0.0.0.0".
As long as
SA-IdentityManagement is present on the system, you can create an automated conversion of long addresses to IP using
props.conf file into the
local directory and add this stanza:
[sourcetype] LOOKUP-src_ip_for_sourcetype = ip2long src_long OUTPUT src_ip LOOKUP-dest_ip_for_sourcetype = ip2long dest_long OUTPUT dest_ip
Save the file.
Data management overview
Using the Splunk Enterprise deployment server
This documentation applies to the following versions of Splunk® App for PCI Compliance: 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5