Data Export: Splunk

The following system statistics are forwarded to the Splunk Indexer:

  • Ivanti EPMM server: Java Virtual Machine (JVM)
  • CPU: including an overview and breakdown by host, process, user, stat, and source.
  • Memory: including an overview and breakdown by host, process, user, and source.
  • Disk: including usage by host, source, and files opened by command, type, and user.
  • Network: including interfaces, interface throughput, connection details, and network sources.

This section includes the general workflow to configure the Splunk Indexer:

Step 1

Enabling the Splunk Forwarder to turn on the Splunk Forwarder so it can push data to the Splunk Indexer.

Step 2

Adding a Splunk Indexer to configure which external Splunk Indexer will receive and manipulate the data from the Splunk Forwarder.

Step 3

Configuring Splunk Data to configure which data Splunk Forwarder sends to the Splunk Indexer.

Enabling the Splunk Forwarder

Procedure 

  1. Log into System Manager.
  2. Go to Settings > Services.
  3. Select Enable next to Splunk Forwarder.
  4. Click Apply > OK to save the changes.

Adding a Splunk Indexer

Procedure 

  1. Log into System Manager.

  2. Go to Settings > Data Export > Splunk Indexer.

  3. Click Add to open the Add Splunk Indexer window.

  4. Modify the fields, as necessary. See the following table for descriptions.

    Table 12.  Add Splunk Indexer window

    Fields

    Description

    Splunk Indexer

    Add the IP address of your Splunk Enterprise Server.

    Port

    Add the port number of your Splunk Enterprise Server.

    Disable SSL

    Click to disable Secure Socket Layer (SSL) encrypted communication.

    Enable SSL

    Click to enable or re-enable SSL encrypted communication.

    Enable SSL with cert-based mutual auth

    Click to enable or re-enable SSL with certificate-based mutual authentication. Select this option to connect to Splunk Heavy Forwarder for secure mutual authentication to Splunk.

    Choose file

    Click Choose File and browse to the CA certificate chain. Select it and click OK.

  5. Click Apply > OK to save the changes.

Configuring Splunk Data

Procedure 

To configure the data to export to Splunk:

  1. Log into System Manager.
  2. Go to Settings > Data Export > Splunk Data to open the Data to Index window.
  3. Modify the fields, as necessary. Click Show/Hide Advanced Options to further customize which data to send to Splunk.
  4. Click Apply > OK.
  5. Restart the Splunk Forwarder by disabling it, then enabling it again.

    1. Go to Settings > Services.
    2. Select Disable next to Splunk Forwarder.
    3. Click Apply > OK.
    4. Select Enable next to Splunk Forwarder.
  6. Click Apply > OK to save the changes.

Configuring Splunk certificates

Procedure 

Configure the Splunk client certificate in Ivanti System Manager at Security > Certificate Mgmt > Splunk Client certificate.

Configure the Splunk server certificate in Ivanti System Manager at Data export> Splunk indexer page.