Installation and configuration for a stand-alone environment
This section describes the steps to:
-
Install the Centrify Add-on for Splunk and the Centrify App for Splunk
-
Configure the Centrify Add-on for Splunk
Installing the Centrify Add-on for Splunk and the Centrify App for Splunk
To install the Add-on and the App from the command prompt, enter the following commands:
$SPLUNK_HOME/bin/splunk install app Centrify-add-on-for-splunk_xxx.tgz
$SPLUNK_HOME/bin/splunk install app Centrify-app-for-splunk_xxx.tgz
To install the Centrify Add-on for Splunk and the Splunk app from the UI:
-
Log in to the Splunk web site.
-
Go to: Manage Apps > Install App from File.
-
Choose Centrify-add-on-for-splunk_xxx.tgz and Centrify-app-for-splunk_xxx.tgz, one-by-one, and click install.
-
While selecting the build package, click the checkbox to upgrade the app.
Configuring the Centrify Add-on for Splunk
To start the data collection, you must configure the Centrify Add-on for Splunk.
To configure the Centrify Add-on for Splunk:
-
Make sure that you have administrator rights on your computer.
-
Copy:
$SPLUNK_HOME/etc/apps/TA-centrify/default/inputs.conf.example
to:$SPLUNK_HOME/etc/apps/TA-centrify/local/inputs.conf.example
-
Rename
inputs.conf.example
toinputs.conf
. -
Open the
inputs.conf
file in a text editor. -
Find the input stanza for your OS platform among the input stanzas in
inputs.conf
.
-
To enable the stanza for monitoring the syslog for your OS platform,
enable that stanza by changing the disabled property of the stanza
from:
disabled = 1
to:
disabled = 0
.
-
Save the
inputs.conf
file. -
Restart the Splunk app.
Note: If Centrify PAS and Splunk are not installed on the same machine, you must forward Centrify events to the Splunk instance.
To forward Centrify events to the Splunk instance, use the following instructions for the Windows and Linux operating systems.
Windows
On a Windows machine, Centrify events are forwarded through the Splunk Universal Forwarder.
To configure events on Windows with the Centrify Add-on for Splunk:
-
Install the Splunk Universal Forwarder on a machine where the Centrify PAS are installed.
-
While performing the installation, enter the Splunk instance IP address and the port on which you are forwarding data. (Default port is 9997).
-
Install the Centrify Add-on for Splunk on Splunk Universal Forwarder using the following command:
Note: Default username and password is admin/changeme
$SPLUNK_HOME/bin/splunk install app <path of Centrify Add-on for Splunk build package>
-
Configure the Centrify Add-on for Splunk by following the steps above Configuring the Centrify Add-on for Splunk.
-
On the Splunk instance, configure receiving by navigating to Settings > Forwarding and Receiving > Configure Receiving > New. Enter the port on which events are forwarded (entered in step 2).
Linux
On a Linux machine, Centrify events are forwarded through syslog.
Follow these steps to configure syslog:
-
Enter the following information in
/etc/rsyslog.conf
:*.*@@<IP-Address>:<port>
The
IP-address
should be the Splunk instance IP.
The default port is 514.
-
Restart the rsyslog service using this command:
Service rsyslog restart
-
On the Splunk instance, add data input to receive Centrify events:
- Go to: Settings > Data Input > TCP > Add New > Enter the port as in the
rsyslog.conf
file and select the source type assyslog
. - Click Submit.
- Go to: Settings > Data Input > TCP > Add New > Enter the port as in the