This section describes the steps to:
Install the Splunk Universal Forwarder
Install the Centrify Add-on for Splunk
Configure the Centrify Add-on for Splunk
Install the Splunk Add-on for Windows
Install the Splunk Add-on for Unix and Linux
Forward data to the Indexer
Install and configure Centrify Add-on for Splunk on the Indexer
Install and configure Centrify Add-on and App for Splunk on the Search Head
You must install the Splunk Universal Forwarder and one of the technology add-ons (TAs) such as Splunk Add-on for Windows/Unix and Linux or the Centrify Add-on for Splunk to collect Windows application logs. Follow the generic Splunk guidelines to install the Splunk Universal Forwarder on a Windows machine:
Install the Splunk Universal Forwarder on a targeted system. If you are installing on the Splunk Universal Forwarder, the Splunk Web is not available.
You must extract the Add-on from the
To configure the Centrify Add-on for Splunk for an on-premise deployment:
Make sure that you have admin rights to copy
There are different input stanzas in
inputs.conf. This particular
inputs.conffile contains entries for various file locations for monitoring syslog, depending on the OS platform.
To enable any stanza based on your OS, change the disabled property of the stanza from
Note that source types are hard coded in the TA and you are advised not change this configuration.
The reason for hard coding the source types is that Centrify dashboard apps are expecting very specific source types so if you change this practice, the dashboards stop working.NOTE: The index can be changed based on user needs.You can use the following configuration (example) when you want to index data with a specific index in
# Red Hat, CentOS, Citrix XenServer, oracle Enterprise Linux, Scientific Linux, Fedora, SUSE, openSUSE
[monitor:///var/log/messages] sourcetype = syslog
disabled = 1
index = centrify
Follow the generic Splunk guidelines to install the Splunk Add-on for Windows on a Windows machine:
Follow the generic Splunk guidelines to install the Splunk Add-on for Unix and Linux on a Unix machine:
To forward data to the indexer:
Once you configure the Add-on, start forwarding data to the Indexer using the following command:
$SPLUNK_HOME/bin/splunk add forward-server <indexer>:<port>
<indexer> is the Indexer’s address and <
port> is the receiving port on the Indexer. Splunk recommends forwarding data on the Indexer port 9997.
See the list of configured Indexers using the
To install the Centrify Add-on for Splunk (to install Splunk Enterprise on the Indexer):
Enable the receiving on the available port by going to: Splunk Web > Settings > Forwarding & Receiving > Configure Receiving and enable the port.
Splunk recommends enabling receiving on port 9997.
Install the Centrify Add-on for Splunk on the Indexer.
This step helps to index data in
To configure the Centrify Add-on for Splunk, you do not need to have a specific configuration for the Add-on.
If you are using an index other than the main one, create an index on the Indexer.
To install and configure Centrify Add-on and App for Splunk on the Search Head:
Install the Splunk Centrify Add-on for Splunk and the Centrify App for Splunk on your Search Heads.
To configure the Centrify App for Splunk, create an index in your default index list in Settings > Access Controls > Roles > (Click on a particular role) > Indexes Searched by default
You do not need a special configuration for the Centrify Add-on for Splunk.
Note: The Forwarder, Indexer, and Search Head are on a single machine in a stand-alone deployment (but in a distributed environment, each component is on a separate machine).