How to configure the integration between Infrastructure Service (Auditing and Monitoring Service) and Splunk
Part2 - Integration between Infrastructure Service (Auditing and Monitoring Service) and Splunk
The configuration of a profile will be made to start the recordings of the sessions from the elevation of privileges and the integration will be made with splunk so that the auditing sessions can be viewed directly from the Splunk Portal.
Requirements - Part 2
Trial Splunk On-Premise (It is possible to do it also cloud)
Universal Splunk Installer Forwarder
Centrify Add-on for Splunk
In this part of the laboratory we will proceed to install Splunk and integrate it with Centrify Direct Audit.
To start with the Splunk configuration, we must obtain an account in order to download the software. In my case I will use a trial account.
Download the version for Windows Server available
- For this case, we will use a Windows Server 2012 R2 Server to install the Splunk Enterprise.
- We perform the custom installation to carry out the configuration of the administrator account. In case of performing the default installation, use the preconfigured user (user: admin, password: changeme). Which will be requested at the end of the installation
We select the option "Find More Apps" to perform the search of the Centrify application, "Centrify Add-on for Splunk", and we perform the installation, in case of not having internet connection the add-on can be downloaded from the page https://splunkbase.splunk.co
- To perform the installation of the add-on, select the option Manage Apps —> Install app from file
- For the application to be visible in the menu, we must search the application within the application list, select the Edit properties option and change the Visible to Yes option
- For more information on how to perform the installation of Add-On in Splunk you can visit the following link.
Next, we must do the Splunk Forwarder configuration, which will allow us to send logs and system data to the server. For this laboratory we will use a Windows 7 system for the installation of the Universal Forwarder. Download the Windows version of the Splunk Universal Forwarder and follow the installation steps by default. Verify that the check is selected for On-Premise version
For more information about how Splunk Forwarder works, visit the following link:
- Once the installation is finished, we can verify that the service is running in the Windows Services console.
- To install the Centrify Add-On manually in the system, we must unzip the file and copy the folder "TA-centrify" into the path "C:\Program Files\SplunkUniversalForwarder\etc\apps\
- Make a copy of the inputs.conf.example file and rename it to inputs.conf. We edit the file setting the option "disabled = 0" and save the changes.
- We restart the Forwarder so that the changes made take effect and perform a verification of the installation. We open a Command Prompt in the path where the installation was made (in my case C:\Program Files\SplunkUniversalForwarder\bin ) and execute the command "splunk restart" as shown below.
- Now we must add data sources to our Splunk server, for this, we enter to Settings —> Add Data —> Forward
- We select the data sources that are going to be processed. It is important to note that for the scope of this laboratory only the local "Application" event is necessary.
- We create a new index so that the captured events are grouped within it. This step is optional.
We finish the data creation wizard.
- Now we must define the port of entry of the data to the server, for this, we enter Settings --> Forwarding and receiving --> Configure receiving --> New Receiving Port
- Once the previous configurations are finished, we can construct a query like the following one. This fine will only show the events that have a Centrify audit session. We execute the query and save it for future reference.(DASessID != "N/A")
- Finally, to view an audit session directly from Splunk, select a session from the query list, click on the "Event Actions" button and the "Replay Session" option, which will open the Audit Analyzer's visualization console.
It is important to note that, as a requirement for this to work, the splunk event must contain the audit session id (DASessID) and we must have the Centrify Audit Analyzer console installed on the computer where the session will be displayed.