Installation and configuration for a stand-alone environment

This section describes the steps to:

  • Install the Centrify Add-on for Splunk and the Centrify App for Splunk

  • Configure the Centrify Add-on for Splunk

Installing the Centrify Add-on for Splunk and the Centrify App for Splunk

To install the Add-on and the App from the command prompt, enter the following commands:

$SPLUNK_HOME/bin/splunk install app Centrify-add-on-for-splunk_xxx.tgz

$SPLUNK_HOME/bin/splunk install app Centrify-app-for-splunk_xxx.tgz

To install the Centrify Add-on for Splunk and the Splunk app from the UI:

  1. Log in to the Splunk web site.
  2. Go to: Manage Apps > Install App from File.
  3. Choose Centrify-add-on-for-splunk_xxx.tgz and Centrify-app-for-splunk_xxx.tgz, one-by-one, and click install.
  4. While selecting the build package, click the checkbox to upgrade the app.

Configuring the Centrify Add-on for Splunk

To start the data collection, you must configure the Centrify Add-on for Splunk.

To configure the Centrify Add-on for Splunk:

  1. Make sure that you have administrator rights on your computer.
  1. Copy:
    $SPLUNK_HOME/etc/apps/TA-centrify/default/inputs.conf.example to:
    $SPLUNK_HOME/etc/apps/TA-centrify/local/inputs.conf.example
  1. Rename inputs.conf.example to inputs.conf.
  2. Open the inputs.conf file in a text editor.
  3. Find the input stanza for your OS platform among the input stanzas in inputs.conf.
  1. To enable the stanza for monitoring the syslog for your OS platform,
    enable that stanza by changing the disabled   property of the stanza
    from:
    disabled = 1
       to:
    disabled = 0.
  1. Save the inputs.conf file.
  2. Restart the Splunk app.

Note:   If Centrify PAS and Splunk are not installed on the same machine, you must forward Centrify events to the Splunk instance.

To forward Centrify events to the Splunk instance, use the following instructions for the Windows and Linux operating systems.

Windows

On a Windows machine, Centrify events are forwarded through the Splunk Universal Forwarder.

To configure events on Windows with the Centrify Add-on for Splunk:

  1. Install the Splunk Universal Forwarder on a machine where the Centrify PAS are installed.
  2. While performing the installation, enter the Splunk instance IP address and the port on which you are forwarding data. (Default port is 9997).
  1. Install the Centrify Add-on for Splunk on Splunk Universal Forwarder using the following command:

    Note:   Default username and password is admin/changeme

    $SPLUNK_HOME/bin/splunk install app <path of Centrify Add-on for Splunk build package>
  1. Configure the Centrify Add-on for Splunk by following the steps above Configuring the Centrify Add-on for Splunk.
  2. On the Splunk instance, configure receiving by navigating to Settings > Forwarding and Receiving > Configure Receiving > New. Enter the port on which events are forwarded (entered in step 2).

Linux

On a Linux machine, Centrify events are forwarded through syslog.

Follow these steps to configure syslog:

  1. Enter the following information in /etc/rsyslog.conf:

    *.*@@<IP-Address>:<port>

    The IP-address should be the Splunk instance IP.
    The default port is 514.

  1. Restart the rsyslog service using this command:

    Service rsyslog restart

  2. On the Splunk instance, add data input to receive Centrify events:

    1. Go to: Settings > Data Input > TCP > Add New > Enter the port as in the rsyslog.conf file and select the source type as syslog.
    2. Click Submit.