Installation and Configuration for a Cloud Deployment

This section describes the steps to:

  • Install the Splunk Universal Forwarder

  • Install the Centrify Add-on for Splunk

  • Configure the Centrify Add-on for Splunk

  • Install the Splunk Add-on for Windows

  • Install the Splunk Add-on for Unix and Linux

  • Forward data to the Indexer

  • Install and configure Centrify Add-on for Splunk on the Indexer

  • Install and configure Centrify Add-on and App for Splunk on the Search Head

Installing the Splunk Universal Forwarder

You must install the Splunk Universal Forwarder and one of the technology add-ons (TAs) such as Splunk Add-on for Windows/Unix and Linux or the Centrify Add-on for Splunk to collect Windows application logs.

Follow the generic Splunk guidelines to install the Splunk Universal Forwarder on a Windows machine:

http://docs.splunk.com/Documentation/Forwarder/latest/Forwarder/Installtheuniversalforwardersoftware

Installing the Centrify Add-on for Splunk

To install the Splunk Universal Forwarder on a targeted system:

If you are installing on the Splunk Universal Forwarder, the Splunk Web is not available. Extract the Add-on from the $SPLUNK_HOME/etc/apps directory.

Configuring the Centrify Add-on for Splunk in cloud deployments

To configure the Centrify Add-on for Splunk in a cloud deployment:

  1. Make sure that you have admin rights to copy $SPLUNK_HOME/etc/apps/TA-centrify/default/inputs.conf.example
    to
    $SPLUNK_HOME/etc/apps/TA-centrify/local/inputs.conf

    There are different input stanzas in inputs.conf. This particular inputs.conf file contains entries for various file locations for monitoring syslog, depending on the OS platform.

  1. To enable any stanza based on your OS, change the disabled property of the stanza from disabled=1 to disabled=0.
  2. Note that source types are hard coded in the TA and you are advised not change this configuration.

    The reason for hard coding the source types is that Centrify dashboard apps are expecting very specific source types so if you change this practice, the dashboards stop working.

    Note:   The index can be changed based on user needs.

    You can use the following configuration (example) when you want to index data with a specific index in:
    $SPLUNK_HOME/etc/apps/TA-centrify/local/inputs.conf

    # Red Hat, CentOS, Citrix XenServer, oracle Enterprise Linux, Scientific Linux, Fedora, SUSE, openSUSE

    [monitor:///var/log/messages] sourcetype = syslog

    disabled = 1

    index = centrify

  1. Restart Splunk.

Installing the Splunk Add-on for Windows

Follow the generic Splunk guidelines to install the Splunk Add-on for Windows on a Windows machine:

https://docs.splunk.com/Documentation/WindowsAddOn/latest/User/InstalltheSplunkAdd-onforWindows

Installing the Splunk Add-on for Unix and Linux

Follow the generic Splunk guidelines to install the Splunk Add-on for Unix and Linux on a Unix machine:

http://docs.splunk.com/Documentation/UnixApp/latest/User/AbouttheSplunkAppforUnix

Forwarding Data to the Indexer

Follow these steps:

  1. Once you configure the Add-on, start forwarding data to the Indexer using the following command:

    $SPLUNK_HOME/bin/splunk add forward-server <indexer>:<port>

    Where <indexer> is the Indexer’s address and <port> is the receiving port on the Indexer. Splunk recommends forwarding data on the Indexer port 9997.

  1. See the list of configured Indexers using the outputs.conf file in:
    $SPLUNK_HOME/etc/system/local/outputs.conf.

Indexers

The procedure to install the Centrify Add-on for Splunk occurs in this manner:

You will have an open ticket with the Splunk Cloud team to install the Centrify Add-on on the Indexer. Installing the Centrify Add-on helps to index data in centrify_css_* sourcetype.

The Splunk cloud customers do not have direct access to their Indexers so they rely on the Splunk cloud team to do the configuration for them. The Splunk cloud team might create a separate index for them to ingest the data into a specific index. If this is the case, the inputs.conf file on the Universal Forwarder must be changed as described in Forwarding Data to the Indexer so that data is indexed properly.

To configure the Centrify Add-on for Splunk, you do not need to have a specific configuration for the Add-on.

Search Heads

You are expected to create a ticket with the Splunk cloud team to install the Splunk Centrify Add-on for Splunk and the Centrify App for Splunk on your Search Heads.

You do not need a special configuration for the Centrify Add-on for Splunk.

To configure the Centrify App for Splunk, an index created by the Splunk cloud team must be added in your default index list in:
Settings > Access Controls > Roles > (Click on a particular role) > Indexes Searched by default.

Note:    The Forwarder, Indexer, and Search Head are on a single machine in a stand-alone deployment (but in a distributed environment, each component is on a separate machine).