Splunk Centrify Privileged Access Service Add-on

The Splunk Centrify Privileged Access Service Add-on is provides data onboarding and parsing Centrify PAS logs into Splunk events. These parsed events can be used for adhoc queries or to create visualizations. This add-on co-exists with other Splunk add-ons without conflicts.

Apart from data onboarding and parsing, the Splunk Centrify PAS Add-on takes care of the following:

  • Timestamp correction: The timestamp in Syslog is the time when logging happened and not the actual time when the event occurred, so the timestamp of the Centrify PAS event in Splunk is corrected by using the WhenOccurred field in the event payload.
  • Custom sourcetype assignment: A new sourcetype called centrify_cisp_syslog is assigned to Centrify PAS events. This ensures that Centrify PAS events and other Syslog messages are not touched unintentionally.
  • Applying Centrify headers: Headers such as product, category, and eventname present in the payload are assigned to Centrify PAS events in Splunk.
  • CIM compliance: The add-on maps Centrify PAS Authentication events to the Authentication model of CIM.

Setting Up the Splunk Universal Forwarder

In a distributed Splunk environment, the Splunk Universal Forwarder must be set up on the machine with the Syslog server so that the Centrify PAS events in syslog get forwarded to the Indexer.

To configure Splunk Universal Forwarder for a distributed setup:

  1. In a terminal, navigate to the path of Splunk Universal Forwarder:

    cd splunkuniversalforwader/bin

  2. Add the Forward server in the bin folder, using the IP address of the Splunk Indexer as the <ipaddress> and the Receiver port configured on the Splunk Indexer as the <port> (usually 9997):

    ./splunk add forward-server <ipaddress>:<port>

  3. Add syslog to the monitored files list:

    ./splunk add monitor /var/log/messages

Installing the Splunk Add-on

The Splunk Add-on must be installed on the indexer and on the search head.

To install the Splunk Add-on from the Splunk Web UI:

Go to Apps > Browse , Select Centrify Identity Platform Add-on for Splunk.

Configuring Data Input

To configure data input:

In a distributed Splunk environment with a Forward Server:

  1. Open the Splunk Enterprise web UI.

  2. Go to Settings > Forwarding and receiving > Configure Receiving > Add New.

  3. In the Listen to Port text box, enter 9997.

  4. Click Save to send messages from the Forward Server to port 9997.

In a stand-alone Splunk environment with a local syslog:

  1. Go to Settings > Data Inputs > Files and Directories.

  2. Enable /var/log/messages (this is disabled by default).

Searching for Centrify PAS Events

To search for Centrify PAS events, enter this command:

   Search sourcetype = “centrify_cisp_syslog”