Ivanti Policy Secure Syslog Add-On for Splunk

Ivanti Policy Secure is a network and application access control (NAC) solution used extensively in small, midrange and large enterprises. Ivanti Policy Secure provides the capability to send various kinds of user access, device/user authentication, Host Checker compliance events, admission control events, profiler discovery, device profile, attribute update and device contextual information as Syslog messages to any Syslog receiver.

Splunk is a log management/SIEM solution that can receive Syslog messages from multiple sources. These messages are stored within Splunk and then can be correlated, searched, analyzed and displayed using its graphical user interface.

Splunk is also a platform that runs applications (Apps) as add-ons to Splunk, which are customized for specific external applications or products which send Syslogs. The App provides visualization of the received data without requiring the user to run complex searches within Splunk.

These apps typically consist of a number of dashboard elements like charts, tables and graphs that are accessible via a menu structure contained within the app, which are based on pre-defined searches. The Ivanti Policy Secure Splunk App is such an App developed by Ivanti for visualizing a Syslog feed from Ivanti Policy Secure.

To integrate Ivanti Policy Secure with Splunk, perform the following:

Configuring Ivanti Policy Secure to send syslogs to Splunk

Add an instance of Splunk to Ivanti Policy Secure as syslog server. Add the Splunk IP address or hostname and port number at the appropriate place in the Ivanti Policy Secure administrative interface.

T o configure Splunk as a Syslog server:

  1. Under Log/Monitoring > <User Access/Events/Admin Access>.

  2. Click Log Settings.

  3. Under Syslog Servers, Enter the Splunk Server name/IP and add port value as 9514.

    The port number can be customized from the inputs.conf file if desired.

  4. Select the type as TCP.

  5. Select the file format as WELF. Only WELF is supported.

  6. Click Add.