Data Collection

Data collection can be accomplished in two ways:

  • Using the Splunk Add-on for Windows or the Splunk Add-on for Unix and Linux

  • Using the Centrify Add-on for Splunk

Using the Splunk Add-on for Windows or Splunk Add-on for Unix and Linux

If you are already using the Splunk Add-on for Windows and collecting Windows application logs on Indexers, you should already have the Splunk Forwarder and the Splunk Add-on for Windows installed on the Windows machine. Because Centrify logs are already part of the Windows application logs, you do not have to install anything else on the Splunk Forwarder. You should be able to see the Centrify data directly on the Indexers.

Similarly, you might already using the Splunk Add-on for Unix and Linux and sending specific Unix and Linux logs to the Indexers. In this scenario, the Splunk Forwarder and the Splunk Add-on for Unix and Linux should be installed on the Unix machine. You can modify the inputs.conf file and add the Centrify-specific log directory and start forwarding that data to the Indexers.

Note that the data collection stanzas in the Centrify Add-on for Splunk remain disabled because they are not collecting data in this scenario. The expectation is that the Splunk Add-on for Windows and the Splunk Add-on for Unix and Linux are responsible for collecting data. In this case, the Centrify Add-on for Splunk is mainly used for field extractions and data normalization.

The requirements for component deployment are listed in the following table:

 

 

Machines and Splunk Components

 

Windows Machines

Unix Machines

Indexers

Search Heads

Splunk Universal Forwarder

Yes

Yes

---

---

Splunk Add-on for Windows

Yes

---

---

---

Splunk Add-on for Unix and Linux

---

Yes

---

---

Centrify Add-on for Splunk

---

---

Yes
(Needed for indexed time field extractions)

Yes
(Needed for indexed time field extractions and data normalization)

Centrify App for Splunk

---

---

---

Yes

Using the Centrify Add-on for Splunk

If you do not have the Splunk Add-on for Windows or the Splunk Add-on for Unix and Linux and would like to use the Centrify Add-on for Splunk for data collection, you must install:

  • Splunk Forwarder on the Windows and the Unix machines

  • Centrify Add-on for Splunk on both types of machines

The inputs.conf file in the Centrify Add-on for Splunk contains entries for various file locations for monitoring the syslog depending on the OS platform.

You must enable the corresponding input stanza based on the OS platform. Data gets collected on the Forwarder and is then forwarded to the Indexers where the data gets indexed. Note that data collection stanzas in the inputs.conf file remains disabled on the Search Heads.

Note:    If the UNIX and Linux syslogs are stored in binary, you must use the rsyslog daemon service to put logs under any of the standard syslog locations before configuring the app on the Forwarder.

The requirements for component deployment are listed in the following table:

 

Machines and Splunk Components

 

Windows Machines

Unix Machines

Indexers

Search Heads

Splunk Universal Forwarder

Yes

Yes

---

---

Centrify Add-on for Splunk

Yes

Yes

Yes
(Needed for indexed time field extractions)

Yes
(Needed for indexed time field extractions and data normalization)

Centrify App for Splunk

---

---

---

Yes