Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

[HOW TO] Integration between Infrastructure Service (Auditing and Monitoring Service) and Splunk

11 April,19 at 11:51 AM

How to configure the integration between Infrastructure Service (Auditing and Monitoring Service) and Splunk

Part2 - Integration between Infrastructure Service (Auditing and Monitoring Service) and Splunk

 

Spanish Version

 

Summary
The configuration of a profile will be made to start the recordings of the sessions from the elevation of privileges and the integration will be made with splunk so that the auditing sessions can be viewed directly from the Splunk Portal.

 

Requirements - Part 2
Trial Splunk On-Premise (It is possible to do it also cloud)
Universal Splunk Installer Forwarder
Centrify Add-on for Splunk
 
Development
In this part of the laboratory we will proceed to install Splunk and integrate it with Centrify Direct Audit.
 

  1. To start with the Splunk configuration, we must obtain an account in order to download the software. In my case I will use a trial account.
  2. Download the version for Windows Server available5EE64808-903E-4E2B-BA0C-A9479F7A9B1C.png

     

  3. For this case, we will use a Windows Server 2012 R2 Server to install the Splunk Enterprise.
  4. We perform the custom installation to carry out the configuration of the administrator account. In case of performing the default installation, use the preconfigured user (user: admin, password: changeme). Which will be requested at the end of the installation
    8D7D4EEB-09AA-4DF3-925D-AB425CF85D22.png

     

  5. We select the option "Find More Apps" to perform the search of the Centrify application, "Centrify Add-on for Splunk", and we perform the installation, in case of not having internet connection the add-on can be downloaded from the page https://splunkbase.splunk.co2D47B4CD-6106-4C0D-BB69-B5D11F297E7C.png

     

     

  6. To perform the installation of the add-on, select the option Manage Apps —> Install app from file2FB0CCB7-69D0-4057-8636-9AA210645187.png

     

    656BC83A-CD82-4D76-BFEF-89788330CAFA.png

     

  7. For the application to be visible in the menu, we must search the application within the application list, select the Edit properties option and change the Visible to Yes option4ACF10AF-597D-48DA-B0C4-1ABD53E76FAE.png

     

  8. For more information on how to perform the installation of Add-On in Splunk you can visit the following link.
  9. Next, we must do the Splunk Forwarder configuration, which will allow us to send logs and system data to the server. For this laboratory we will use a Windows 7 system for the installation of the Universal Forwarder. Download the Windows version of the Splunk Universal Forwarder and follow the installation steps by default. Verify that the check is selected for On-Premise version78BD614E-711E-48E1-820A-5381B19B8FD1.png

     

    13C76CB7-ABC9-44F9-ADF7-F96021174AA1.png

     

    9864DB51-0666-4C8D-803D-2641F0B6BA77.png

     

    1B6CB20E-BDF7-4565-ACBB-1F86325EB23B.png

     

  10. For more information about how Splunk Forwarder works, visit the following link:
  11. Once the installation is finished, we can verify that the service is running in the Windows Services console.21174732-506A-47AE-A88E-6BD83AE58A08.png

     

  12. To install the Centrify Add-On manually in the system, we must unzip the file and copy the folder "TA-centrify" into the path "C:\Program Files\SplunkUniversalForwarder\etc\apps\6DEFD48E-0771-4A44-9553-B7E1653753F1.png

     

  13. Make a copy of the inputs.conf.example file and rename it to inputs.conf. We edit the file setting the option "disabled = 0" and save the changes.
    2D9CAB6C-64B1-4AF0-9D09-5DB9237EF230.png 
  14. We restart the Forwarder so that the changes made take effect and perform a verification of the installation. We open a Command Prompt in the path where the installation was made (in my case C:\Program Files\SplunkUniversalForwarder\bin ) and execute the command "splunk restart" as shown below.D978D3B9-0EAB-4789-87D8-489658C795B6.png

     

  15. Now we must add data sources to our Splunk server, for this, we enter to Settings —> Add Data —> Forward4337B6AC-BCED-46F5-A5E2-6D5A502F6DD8.png

     

  16. We select the data sources that are going to be processed. It is important to note that for the scope of this laboratory only the local "Application" event is necessary.
    FC28B6E5-BD73-42A2-A63E-F0D938BC4CF4.png

     

    F17017F9-E82B-401D-8E9D-6C950B854788.png

     

  17. We create a new index so that the captured events are grouped within it. This step is optional.
    D696E7DB-A921-4BC5-A5BB-6637BB837EBD.png

     

    D38118EC-9F36-4C3B-8155-8A1877116C3B.png

     853979D7-68CE-409F-909B-50887BD4E13B.png

     

  18. We finish the data creation wizard.

  19. Now we must define the port of entry of the data to the server, for this, we enter Settings --> Forwarding and receiving --> Configure receiving --> New Receiving Port
    Screen Shot 2018-05-28 at 12.00.41 PM.png

     

  20. Once the previous configurations are finished, we can construct a query like the following one. This fine will only show the events that have a Centrify audit session. We execute the query and save it for future reference.(DASessID != "N/A")

    53432180-6E87-42A4-BE7A-471C6EC6D3DD.png 

    FFBC893B-6E46-4549-90DB-FF0FE5D97C94.png

     

  21. Finally, to view an audit session directly from Splunk, select a session from the query list, click on the "Event Actions" button and the "Replay Session" option, which will open the Audit Analyzer's visualization console.
    It is important to note that, as a requirement for this to work, the splunk event must contain the audit session id (DASessID) and we must have the Centrify Audit Analyzer console installed on the computer where the session will be displayed.
    1B2EC483-54B4-4F5E-87A3-F6D6179E1735.png

     

    4B7F4B8F-2460-49DF-BDBD-EEB5E088DFA9.png

     

    1B043F97-717E-43CA-BC2E-8194C8CAB50F.png

     

    EDD42F54-6874-4B0D-B0FD-7A54228458F3.png

     

 

Related Articles

 articleStart session recording when performing privilege elevation articleSIEM Integration - Understanding Centrify's Audit Events articleKB-20210: Common Questions Regarding Centrify DirectControl and CoreOS articleCentrify 21.2 Release Notes articleCentrify Agent for Windows™ Deployment Options - Introduction articleKB-8951: Centrify Product Naming Changes - July 2017 article[Security Corner] Centrify and the Microsoft Enhanced Security Administrative Environment (2/3) articleCentrify Server Suite 2017 - What's New and What to Plan For