Introduction
This article, along with the attached guide at the bottom of the page, provides step-by-step instructions for installing and setting up Authentic8 Silo Add-on (TA) for Splunk Enterprise. Authentic8 Silo Add-on for Splunk | Splunkbase
Prerequisites:
- Access to Splunk Online Portal:
- https://login.splunk.com/
- Paid subscription or free trial account access
- A Silo account with administrator access for your organization
- A Silo Service Account and associated Log API Auth Token (by request)
- An existing server running a supported operating system and version of software
Supported Splunk Versions:
- Splunk Enterprise version 8.x, 9.x
- Splunk Cloud with heavy forwarders
Supported Operating Systems:
- Red Hat Enterprise Linux (RHEL)
- Versions: 7.x, 8.x, 9.x
- Debian
- Versions: 9.x, 10.x, 11.x, 12.x
- Ubuntu
- Versions: 16.x, 18.x, 20.x, 22.x
Required Dependencies for Splunk Add-On:
- RHEL Package Dependencies:
- libmpc, libmpc-devel, gmp-devel, gcc, mpfr, mpfr-devel, gmp
- RHEL Symbolic Link Configuration:
| OS Version | CLI Command to create Symbolic Link |
|---|---|
| RHEL 7 | ln -s /lib64/libmpfr.so.4.1.1 /lib64/libmpfr.so.6 |
| RHEL 8 | ln -s /lib64/libmpfr.so.4.1.6 /lib64/libmpfr.so.6 |
| RHEL 9* | ln -s /lib64/libmpfr.so.6.1.0 /lib64/libmpfr.so.6 |
| *Not required in newer versions of RHEL9 | |
- Debian/Ubuntu Package Dependencies:
- libgmp-dev, libmpfr-dev, libmpc-dev
- libgmp-dev, libmpfr-dev, libmpc-dev
Supported Log Types:
- URL
- DOWNLOAD
- UPLOAD
- SESSION
- AUTH (authentication logs for Silo session ONLY)
- ADMIN_AUDIT
- LOCATION CHANGE
- BLOCKED URL
- TRANSLATION
- A8SS (Secure Storage)
- HARVEST (covers both Harvester and Collector use)
- ENC (Log type if Log Encryption is Enabled)
Known Limitations:
We currently only support the management of 91 different private encryption keys. If you need support for more than 91 keys, please submit a support ticket.
Known Issues:
- Compatibility Issues: Does not work on Splunk running on a server with a Windows Operating System.
- Configuration Errors: If incorrect input is provided during configuration after the add-on is installed, no Splunk errors are thrown. The errors, including an incorrect private key for encryption or API token, will be located in the add-on logs (ta-authentic8.log).
- If the mistake does not cause an error (e.g., using the wrong Org name), no errors will appear in the logs or Splunk UI. However, the ta-authentic8.log file will indicate that nothing is being collected during the interval, showing "No data is available" and sequence ID as 0 for all log types unless the add-on has been successfully run in the past.
- Multiple Organizations: The add-on does not support pulling logs for two top-level Silo Organizations as the sequence IDs for the logs between the two organizations will differ. However, there are no issues with pulling multiple sub-orgs in addition to the parent organization.
- Dependency Installation: If you install the application without installing the dependencies, the following error will show up in Splunk: "Unable to initialize modular input 'authentic8' defined in the app 'TA-authentic8': Introspecting scheme=authentic8: script running failed (exited with code 1)." This cannot be solved by installing the dependencies afterward but will require removing the Authentic8 Splunk Add-on completely, installing the dependencies, and then reinstalling the add-on.
- Sub-dependencies: Dependencies such as libgmpxx4ldbl and libmpc3, which are sub-dependencies, can also cause similar errors.
Additional Resources:
Download the complete Splunk Enterprise Installation and Configuration Guide.
Additional Notes
Please contact Support if you have any additional questions and/or require further information.