Use this article and the attached guide to install and setup Splunk.
Required Dependencies for Splunk Add-On:
- sudo apt-get install libgmp-dev
- sudo apt-get install libmpfr-dev
- sudo apt-get install libmpc-dev
Supported Log Types:
- AUTH (authentication logs for Silo session ONLY)
- LOCATION CHANGE
- BLOCKED URL
- A8SS (Secure Storage)
- HARVEST (covers both Harvester and Collector use)
- ENC (Log type if Log Encryption is Enabled)
We currently only support management of 91 different private encryption keys, if you need support for more than 91 keys please reach out to us at firstname.lastname@example.org
- Does not work on Splunk running on a server with Windows Operating System
- If there is a wrong input provided during configuration after installation of the add-on, there are no Splunk errors that are thrown, the errors will be located in the add-on logs (ta-authentic8.log) - this includes an incorrect private key for encryption or an incorrect API token.
- If the mistake does not cause an error, an example being using the wrong Org name, no errors will be thrown in the logs or in the Splunk UI but you will be able to tell in the ta-authentic8.log file that nothing is being collected during the interval. It will say “No data is available” and sequence ID (unless you have already successfully run the add-on in the past) will show as 0 for all log types.
- The add-on does not support pulling logs for 2 top level Silo Organizations as the sequence IDs for the logs between the 2 organizations will be different. There are no issues with pulling multiple sub-orgs in addition to the parent organization.
- If you install the application without installing the above dependencies, the following error will show up in Splunk. This cannot be solved by installing the dependencies after the fact but will require removing the Authentic8 Splunk Add-on completely, installing the dependencies if you have not already installed them, and reinstalling the Authentic8 Splunk Add-on.
- We have also noticed that these dependencies (which as sub-dependencies for the above mentioned ones) can also cause this type of error
- The error that is caused is the following,
- Unable to initialize modular input "authentic8" defined in the app "TA-authentic8": Introspecting scheme=authentic8: script running failed (exited with code 1)..