Splunk® App for PCI Compliance

Installation and Configuration Manual

This documentation does not apply to the most recent version of Splunk® App for PCI Compliance. For documentation on the most recent version, go to the latest release.

Using technology add-ons

This topic provides instruction on using predefined technology add-on feeds to gather data from common compliance data sources.

Normalize data at search time using maps

To derive information from the types of data monitored in your cardholder data environment, Splunk software parses, indexes, and maps data so that it can be used by apps in searches, views, and reports. The data is "normalized" by tagging and mapping it to fields in a consistent way.

For example, one firewall add-on might report an incident as a "failed attempt" while another one might report an incident as "unsuccessful". When the data is normalized, it is mapped to a common field such as "failed". This field can be used as part of searches, filters, views, reports, and so on. Additional mapping and search-time information, such as correlating asset information with events, is provided by technology add-ons.

Technology add-ons and data inputs

The Splunk App for PCI Compliance data inputs are closely connected with technology add-ons, mapping data for use in the app. Use Apps > Manage Apps to configure or add technology add-ons to your configuration.

  1. Click Apps > Manage Apps.
  2. Click Edit properties for the app you want to configure.
  3. Configure the app and click Save.

You can also select one of the other available options to find more apps or install an app from a file.

For each data source:

  • Identify the technology add-on: Identify the technology and determine the corresponding technology add-on. If the Splunk App for PCI Compliance does not ship with out-of-the-box support for your type of data or data source, you might be able to find an add-on on Splunkbase. You can also create your own add-ons.
  • Customize the technology add-on where necessary: Each technology add-on provided with the Splunk App for PCI Compliance comes with a README file, located in the root of the add-on folder in $SPLUNK_HOME/etc/apps. The README details any changes you need to make to the add-on to configure it for your deployment. For example, you might need to specify the location or source of the data, choose whether the data is located in a file or in a database, and so on.
  • Install the technology add-on: You must install the technology add-on on each search head that handles the data. You must also install technology add-ons that perform index-time processing on each indexer and forwarder. If technology add-ons exist as part of your Splunk Enterprise Security 4.x.x installation, they are shared with Splunk App for PCI Compliance 3.x.x.
  • Configure the server, device, or technology where necessary: In some cases, you might need to enable logging or data collection for the device or application and/or configure the output for collection by Splunk software. Consult the documentation for that technology for details.
  • Set up a Splunk data input and set the source type where necessary: The Splunk App for PCI Compliance supports all Splunk data input types, including network inputs, file monitoring, and scripted inputs. The README file in the technology add-on directory describes which input types are supported for this particular technology. The README file also includes the source type associated with the data and tells you whether or not you need to explicitly specify the source type when you set up the data input.

Automated conversion of ipv4 long to dotted notation

You might have several log sources that report IP addresses in their long format. These can be automatically converted to dotted notation for reporting purposes.

This data can also be returned based on dotted notation when searching. For instance, if you want events with "src_long=0" to be returned when you search "src_ip=0.0.0.0".

As long as SA-IdentityManagement is present on the system, you can create an automated conversion of long addresses to IP using props.conf.

In $SPLUNK_HOME/etc/apps/SA-IdentityManagement/default, copy the props.conf file into the local directory and add this stanza:

[sourcetype]
LOOKUP-src_ip_for_sourcetype = ip2long src_long OUTPUT src_ip
LOOKUP-dest_ip_for_sourcetype = ip2long dest_long OUTPUT dest_ip

Save the file.

Last modified on 24 March, 2016
Data management overview   Using the Splunk Enterprise deployment server

This documentation applies to the following versions of Splunk® App for PCI Compliance: 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters