Splunk
You can configure a Splunk entry on Standalone Sentry so that Standalone Sentry periodically sends Sentry health and audit log data to the Splunk Enterprise server set up on your network. Logs are forwarded to the Splunk receiver and to the local log location.
Overview of the steps for setting up Splunk on Standalone Sentry
Following is an overview of the steps for setting up Splunk on Standalone Sentry:
| 1. | Enabling the Splunk forwarder service in Standalone Sentry. |
| 2. | Adding a Splunk receiver entry in Standalone Sentry. |
| 3. | Configuring Standalone Sentry data to export to Splunk. |
| 4. | Tasks in Splunk server to set up Standalone Sentry |
Enabling the Splunk forwarder service in Standalone Sentry
Enable the Splunk forwarder service so that it can push data to the Splunk receiver.
| NOTE: | The Splunk forwarder service can also be enabled using CLI. |
Procedure
| 1. | In Standalone Sentry System Manager, go to Settings > Services. |
| 2. | For Splunk Forwarder, select Enable. |
| 3. | Click Apply > OK to save the changes. |
The status for Splunk Forwarder displays as Running.
Next steps
Go to Adding a Splunk receiver entry in Standalone Sentry.
Adding a Splunk receiver entry in Standalone Sentry
You add the Splunk receiver in the Standalone Sentry System Manager in Settings > Splunk.
Procedure
| 1. | In Standalone Sentry System Manager, go to Settings > Splunk. |
| 2. | Click Add to open the Add Splunk Receiver window. |
| 3. | Configure the fields. |
|
Fields |
Description |
|
Splunk Receiver |
Add the IP address or the hostname of your Splunk Enterprise Server. |
|
Port |
Add the port of your Splunk Enterprise Server. |
|
Enable SSL |
(Optional) Click the check box to enable SSL. |
| 4. | Click Apply > OK to save the changes. |
Next steps
Go to Configuring Standalone Sentry data to export to Splunk.
Configuring Standalone Sentry data to export to Splunk
Use the Standalone Sentry command line interface (CLI) to configure the data to export to Splunk.
Procedure
| 1. | SSH to Standalone Sentry. |
| 2. | In configuration mode, enter sentry audit to enable miauditlogs log data for export. |
| 3. | In configuration mode, enter sentry health-monitor to enable mihealth log data for export. |
| 4. | Enter end to exit configuration mode. |
Next steps
Go to Tasks in Splunk server to set up Standalone Sentry.
See Log representation and format for the representation and the format of the data captured in audit and health logs.
Tasks in Splunk server to set up Standalone Sentry
Do the following on the Splunk server:
| 1. | Ensure that Splunk listener is on the same port as the one configured in the Splunk entry in Standalone Sentry. |
| 2. | Enable the miauditlog and mihealth indexes, which are sentry_miaudit and sentry_mihealth respectively. |