Configuring Ivanti Access Splunk application
Splunk fetches Audit logs and Ivanti Access reports for a tenant everyday from Ivanti Access. You must configure Ivanti Access Splunk application for this activity. Splunk v8.0.1 and Ivanti Access Splunk app v5.0 is now supported.
Before you begin
| • | Verify that you have installed Java 8 (JRE and JDK). |
| • | Verify that before you upgrade, delete the configured data input for Ivanti Access if any. |
Procedure
| 1. | Copy the app distribution .spl file (miaccess_splunk_ap.spl) to the Splunk machine. The .spl file is available at Product Documentation Page. |
| 2. | Login to Splunk > Apps. |
Click Install app from file and select miaccess_splunk_app.spl file. The Upload an app window opens.
Figure 1. splunk app
Figure 2. upload an app
| 3. | Click Choose file and select miaccess_splunk_app.spl. |
| 4. | Select Upgrade app. Check this will overwrite the app if it already exists. |
If you do not have the miaccess-splunk app already installed, then deselect this box.
| 5. | Click Upload. |
Once the upload completes, configure the data inputs.
| 6. | Click Settings > Data inputs. |
Figure 3. Settings > Data inputs
The miaccess_splunk_app entry is now listed in local Data inputs.
Figure 4. ivanti access in data inputs
If you do not see the app listed in local Data inputs, then restart Splunk.
| 7. | Click New in miaccess_splunk_app to configure the file. |
The data input screen appears.
| 8. | Enter the following details: |
You must not modify the data inputs when the job is running. However, you can modify the data inputs when the job is not running.
| - | Ivanti Access Splunk app Configuration: Enter any name for the input configuration. |
| - | Ivanti Access Read-only admin username and Ivanti Access Read-only admin password: Enter the Ivanti Access username and password. |
Use Ivanti Access read-only user.
| - | Ivanti Access admin url: Enter the Ivanti Access admin URL such as https://access-na1.ivanti.com or https://access-eu1.ivanti.com. |
| - | Ivanti Access Read-only admin username: Enter the Ivanti Access username. |
| - | Ivanti Access Read-only admin password: Enter the password for Ivanti Access. The password is now masked. |
| - | Splunk user role username: Enter the Splunk username with minimum user having edit_tcp role. |
| - | Splunk user role password: Enter the Splunk user role password. |
| - | Splunk management port: Enter the management port such as 8089. |
| - | Polling interval in hours: Enter the frequency in number of hours to pull data from Ivanti Access. |
| - | Click Save. |
You can now monitor the fetching of audit logs and access reports in splunkd.log file. Use the following indexes to search for the reports after the Ivanti Access Reports are available in Splunk:
•index="miaccess_report_index”
•index="miaccess_audit_log_index"
| • | After importing the .spl file, if the app is not visible, then restart Splunk. |
•When you configure Splunk for the first time, it pulls data for past 90 days which can take a few minutes.
Splunk dashboard
After adding and configuring the .spl file, the Ivanti Access application is available on the homepage. Click the application to view the dashboards for the application.
Figure 5. Splunk dashboard
The graphs are prepopulated for AuditLogs and Ivanti AccessReports. There is one graph for AuditLogs and four graphs for Ivanti Access Reports.
Figure 6. Audit Logs
Figure 7. ivanti Access Reports Platforms
Figure 8. ivanti AccessReports Actions
Figure 9. ivanti Access reports Geodata
Figure 10. ivanti Access reports Country name
Figure 11. ivanti Access reports derived useragents
