Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

[HOW TO] Integration between Infrastructure Service (Auditing and Monitoring Service) and Splunk

11 April,19 at 11:51 AM

How to configure the integration between Infrastructure Service (Auditing and Monitoring Service) and Splunk

Part2 - Integration between Infrastructure Service (Auditing and Monitoring Service) and Splunk


Spanish Version


The configuration of a profile will be made to start the recordings of the sessions from the elevation of privileges and the integration will be made with splunk so that the auditing sessions can be viewed directly from the Splunk Portal.


Requirements - Part 2
Trial Splunk On-Premise (It is possible to do it also cloud)
Universal Splunk Installer Forwarder
Centrify Add-on for Splunk
In this part of the laboratory we will proceed to install Splunk and integrate it with Centrify Direct Audit.

  1. To start with the Splunk configuration, we must obtain an account in order to download the software. In my case I will use a trial account.
  2. Download the version for Windows Server available5EE64808-903E-4E2B-BA0C-A9479F7A9B1C.png


  3. For this case, we will use a Windows Server 2012 R2 Server to install the Splunk Enterprise.
  4. We perform the custom installation to carry out the configuration of the administrator account. In case of performing the default installation, use the preconfigured user (user: admin, password: changeme). Which will be requested at the end of the installation


  5. We select the option "Find More Apps" to perform the search of the Centrify application, "Centrify Add-on for Splunk", and we perform the installation, in case of not having internet connection the add-on can be downloaded from the page https://splunkbase.splunk.co2D47B4CD-6106-4C0D-BB69-B5D11F297E7C.png



  6. To perform the installation of the add-on, select the option Manage Apps —> Install app from file2FB0CCB7-69D0-4057-8636-9AA210645187.png




  7. For the application to be visible in the menu, we must search the application within the application list, select the Edit properties option and change the Visible to Yes option4ACF10AF-597D-48DA-B0C4-1ABD53E76FAE.png


  8. For more information on how to perform the installation of Add-On in Splunk you can visit the following link.
  9. Next, we must do the Splunk Forwarder configuration, which will allow us to send logs and system data to the server. For this laboratory we will use a Windows 7 system for the installation of the Universal Forwarder. Download the Windows version of the Splunk Universal Forwarder and follow the installation steps by default. Verify that the check is selected for On-Premise version78BD614E-711E-48E1-820A-5381B19B8FD1.png








  10. For more information about how Splunk Forwarder works, visit the following link:
  11. Once the installation is finished, we can verify that the service is running in the Windows Services console.21174732-506A-47AE-A88E-6BD83AE58A08.png


  12. To install the Centrify Add-On manually in the system, we must unzip the file and copy the folder "TA-centrify" into the path "C:\Program Files\SplunkUniversalForwarder\etc\apps\6DEFD48E-0771-4A44-9553-B7E1653753F1.png


  13. Make a copy of the inputs.conf.example file and rename it to inputs.conf. We edit the file setting the option "disabled = 0" and save the changes.
  14. We restart the Forwarder so that the changes made take effect and perform a verification of the installation. We open a Command Prompt in the path where the installation was made (in my case C:\Program Files\SplunkUniversalForwarder\bin ) and execute the command "splunk restart" as shown below.D978D3B9-0EAB-4789-87D8-489658C795B6.png


  15. Now we must add data sources to our Splunk server, for this, we enter to Settings —> Add Data —> Forward4337B6AC-BCED-46F5-A5E2-6D5A502F6DD8.png


  16. We select the data sources that are going to be processed. It is important to note that for the scope of this laboratory only the local "Application" event is necessary.




  17. We create a new index so that the captured events are grouped within it. This step is optional.





  18. We finish the data creation wizard.

  19. Now we must define the port of entry of the data to the server, for this, we enter Settings --> Forwarding and receiving --> Configure receiving --> New Receiving Port
    Screen Shot 2018-05-28 at 12.00.41 PM.png


  20. Once the previous configurations are finished, we can construct a query like the following one. This fine will only show the events that have a Centrify audit session. We execute the query and save it for future reference.(DASessID != "N/A")




  21. Finally, to view an audit session directly from Splunk, select a session from the query list, click on the "Event Actions" button and the "Replay Session" option, which will open the Audit Analyzer's visualization console.
    It is important to note that, as a requirement for this to work, the splunk event must contain the audit session id (DASessID) and we must have the Centrify Audit Analyzer console installed on the computer where the session will be displayed.