Configuring Access Splunk application
Splunk fetches Audit logs and Access reports for a tenant everyday from Access. You must configure Access Splunk application for this activity. Splunk v8.0.1 and Access Splunk app v5.0 is now supported.
Before you begin
| • | Verify that you have installed Java 8 (JRE and JDK). |
| • | Verify that before you upgrade, delete the configured data input for Access if any. |
Procedure
| 1. | Copy the app distribution .spl file (miaccess_splunk_ap.spl) to the Splunk machine. The .spl file is available at Product Documentation Page. |
| 2. | Login to Splunk > Apps. |
Click Install app from file and select miaccess_splunk_app.spl file. The Upload an app window opens.
splunk app
upload an app
| 3. | Click Choose file and select miaccess_splunk_app.spl. |
| 4. | Select Upgrade app. Check this will overwrite the app if it already exists. |
| NOTE: | If you do not have the miaccess-splunk app already installed, then deselect this box. |
| 5. | Click Upload. |
Once the upload completes, configure the data inputs.
| 6. | Click Settings > Data inputs. |
Settings > Data inputs
The miaccess_splunk_app entry is now listed in local Data inputs.
access in data inputs
If you do not see the app listed in local Data inputs, then restart Splunk.
| 7. | Click New in miaccess_splunk_app to configure the file. |
The data input screen appears.
configure access in splunk
| 8. | Enter the following details: |
| NOTE: | You must not modify the data inputs when the job is running. However, you can modify the data inputs when the job is not running. |
| - | MobileIron Access Splunk app Configuration: Enter any name for the input configuration. |
| - | MobileIron Access Read-only admin username and MobileIron Access Read-only admin password: Enter the Access username and password. |
| NOTE: | Use Access read-only user. |
| - | MobileIron Access admin url: Enter the Access admin URL such as https://access-na1.mobileiron.com or https://access-eu1.mobileiron.com. |
| - | MobileIron Access Read-only admin username: Enter the Access username. |
| - | MobileIron Access Read-only admin password: Enter the password for Access. The password is now masked. |
| - | Splunk user role username: Enter the Splunk username with minimum user having edit_tcp role. |
| - | Splunk user role password: Enter the Splunk user role password. |
| - | Splunk management port: Enter the management port such as 8089. |
| - | Polling interval in hours: Enter the frequency in number of hours to pull data from Access. |
| - | Click Save. |
You can now monitor the fetching of audit logs and access reports in splunkd.log file. Use the following indexes to search for the reports after the Access Reports are available in Splunk:
•index="miaccess_report_index”
•index="miaccess_audit_log_index"
Note The Following:
| • | After importing the .spl file, if the app is not visible, then restart Splunk. |
•When you configure Splunk for the first time, it pulls data for past 90 days which can take a few minutes.
Splunk dashboard
After adding and configuring the .spl file, the MiAccess application is available on the homepage. Click the application to view the dashboards for the application.
Splunk dashboard
The graphs are prepopulated for AuditLogs and AccessReports. There is one graph for AuditLogs and four graphs for AccessReports.
Audit Logs
AccessReports Platforms
AccessReports Actions
Access reports Geodata
Access reports Country name
Access reports derived useragents
