These are step-by-step instructions for installing and configuring the Authentic8 Silo Technical Add-on for Splunk Enterprise
Prerequisites:
- Access to Splunk Online Portal:
- https://login.splunk.com/
- Paid subscription or free trial account
- A Silo Administrator account with Logs permission
- A Log Extract API token (contact Support)
- A server running a supported operating system
- A supported Splunk Enterprise version
Supported Splunk Versions
- Splunk Enterprise version 8.x, 9.3.x, 9.4, 9.4.1
- Splunk Cloud (with Heavy Forwarder only)
Supported Operating Systems
- Red Hat Enterprise Linux (RHEL)
- Versions: 7.x, 8.x, 9.x
- Debian
- Versions: 9.x, 10.x, 11.x, 12.x
- Ubuntu
- Versions: 16.x, 18.x, 20.x, 22.x
- Versions: 16.x, 18.x, 20.x, 22.x
Package Dependency Requirements
- Debian
- libgmp-dev, libmpfr-dev, libmpc-dev
- RHEL
- gcc, gmp, gmp-devel, libmpc, libmpc-devel, mpfr, mpfr-devel
- gcc, gmp, gmp-devel, libmpc, libmpc-devel, mpfr, mpfr-devel
- RHEL Symbolic Link Configuration:
| OS Version | CLI Command to create Symbolic Link |
|---|---|
| RHEL 7 | ln -s /lib64/libmpfr.so.4.1.1 /lib64/libmpfr.so.6 |
| RHEL 8 | ln -s /lib64/libmpfr.so.4.1.6 /lib64/libmpfr.so.6 |
| RHEL 9* | ln -s /lib64/libmpfr.so.6.1.0 /lib64/libmpfr.so.6 |
| *Not required in newer versions of RHEL9 | |
Supported Log Types
- URL
- DOWNLOAD
- UPLOAD
- SESSION
- AUTH (authentication logs for Silo for Safe Access session)
- ADMIN_AUDIT
- LOCATION CHANGE
- BLOCKED URL
- TRANSLATION
- A8SS (Secure Cloud Storage)
- HARVEST (covers both Harvester and Collector use)
- ENC (Log Encryption required)
- ALL (Splunk specific log type that's set to independently fetch all available logs, including ENC)
Known Limitations
- A maximum of 91 unique private encryption keys
- Configuration Error: If the incorrect input is entered during the configuration, no Splunk errors will be returned. Instead, Authentic8 related errors are located in the add-on logs (ta-authentic8.log)
- If a misconfiguration does not cause an error (e.g., using the wrong Org name), no errors will appear in the logs or Splunk UI. However, the ta-authentic8.log file will indicate that nothing is being collected during the interval — showing No data is available, along with a sequence ID of 0 for all log types, unless the add-on has successfully retrieved logs in the past
- Multiple Organizations: The add-on does not support pulling logs for two top-level Silo Organizations as the sequence IDs for the logs between the two organizations will differ. However, there are no issues with pulling multiple sub-orgs in addition to the parent organization
- Missing Dependencies: If you install the application without the required package dependencies, the following error will be displayed in Splunk: Unable to initialize modular input 'authentic8' defined in the app 'TA-authentic8': Introspecting scheme=authentic8: script running failed (exited with code 1)
- Sub-dependencies: Dependencies such as libgmpxx4ldbl and libmpc3, which are sub-dependencies, can also cause similar errors
Please refer to the attached Splunk Enterprise Installation Guideline for more information
Please contact Support for an additional questions