topic Re: Universal Forwarder Technology Add-On in Security

Universal Forwarder Technology Add-On

Mohamad_Alaa — Tue, 21 Nov 2023 15:38:18 GMT

Dear Team,

I installed enterprise security on the search head and downloaded Splunk_TA_ForIndexer from ES General settings

now i am stuck for UF technology add-on, from where i can find it? no option from the ES interface and i can't find it on splunkbase portal
I tried multiple search keyword on splunkbase with no luck

Re: Universal Forwarder Technology Add-On

richgalloway — Tue, 21 Nov 2023 15:59:25 GMT

Why are you looking for that TA? What problem are you trying to solve? What documentation said to install the UF TA?

If you are a Splunk Cloud customer, the UF TA is available from your Splunk Cloud search head. Open the "Universal Forwarder" app then click the green Download button. If you are not a Splunk Cloud customer then you probably don't need the TA, depending on the answers to the above questions.

Re: Universal Forwarder Technology Add-On

Mohamad_Alaa — Wed, 22 Nov 2023 08:33:34 GMT

i am using splunk fully on prem - no cloud option

as per documentation TA to be installed on UF, you can refer to below link

https://community.splunk.com/t5/Security/Universal-Forwarder-Technology-Add-On/m-p/669359#M17403

As i understood, TA to be installed on Indexers (already done) and on UF

Thanks

Re: Universal Forwarder Technology Add-On

richgalloway — Wed, 22 Nov 2023 13:55:03 GMT

The link provided is to this question, not to any documentation.

If the TA is already installed on the indexers then you have what you need. Just install the same TA on the forwarders.

Re: Universal Forwarder Technology Add-On

Mohamad_Alaa — Thu, 23 Nov 2023 16:45:05 GMT

https://docs.splunk.com/Documentation/AddOns/released/Overview/Distributedinstall

here is the correct link

no one mentioned that it is the same TA for both, did you tried this before?
As per documentation it should be downloaded directly from splunkbase, but can't find it. The only thing i found is "Splunk-add-on-for-windows" but not sure if that's it or not

thanks

Re: Universal Forwarder Technology Add-On

PickleRick — Thu, 23 Nov 2023 20:02:45 GMT

It's a general method of installing addons. You need addons for your particular sources.

Re: Universal Forwarder Technology Add-On

richgalloway — Thu, 23 Nov 2023 21:03:50 GMT

There's a lot of Splunk documentation so I understand why you don't have all the information yet. See https://docs.splunk.com/Documentation/AddOns/released/Overview/Wheretoinstall for tips on where to install TAs. The instructions that come with the TA are the best guide, however.

Splunkbase apps should be obtained directly from Splunkbase rather than via 3rd-party sources that may not be reputable. However, once you've downloaded the TA it does not need to be downloaded again until a new version is available. The one downloaded copy may be installed as many times as you wish.

Re: Universal Forwarder Technology Add-On

Mohamad_Alaa — Thu, 23 Nov 2023 21:46:03 GMT

I appreciate all your efforts,
Now to make things clear,
1- Does i need to install TA Add-on on UF regarding ES? (yes or no) noting that all my values on the security posture dashboard still zero although i enabled all correlation searches
2- If yes i need on UF, from where i can download it? noting that i didn't find any TA on splunkbase

thanks once again

Re: Universal Forwarder Technology Add-On

richgalloway — Fri, 24 Nov 2023 00:58:28 GMT

First, do NOT enable all ES correlation searches. That will cause more problems than it will solve. Enable only the correlation searches that pertain to your use cases and for which you have data ingested in Splunk.

Where a TA should be installed depends on what the TA does. The installation instructions for the TA should specify the location. If it doesn't use the "Where to install" I link I provided earlier. Generally speaking, it can't hurt to install a TA on both indexers and UFs.

Splunkbase is the source for most Splunk TAs. Others can be downloaded from the vendors that created them for their products. Still others are available from GitHub. It can be difficult to locate a TA without knowing the name, however. What do you want the TA to do? Perhaps we can help you find something appropriate.

Re: Universal Forwarder Technology Add-On

Mohamad_Alaa — Fri, 24 Nov 2023 18:06:55 GMT

can u share the TA UF, specifically used for ES?
Or the download link or any helpful screenshot

Re: Universal Forwarder Technology Add-On

PickleRick — Fri, 24 Nov 2023 18:14:12 GMT

Again - there is no such thing as "add on for UF". There are several different add-ons (which you install on various components of your Splunk Infrastructure, including UFs) needed for specific solution you want to ingest data from.

So if you want to process logs from Checkpoint firewalls, you use TA for Checkpoint. If you get logs from Proofpoint you install UF for Proofpoint. And so on.

Re: Universal Forwarder Technology Add-On

richgalloway — Fri, 24 Nov 2023 18:19:13 GMT

There is no UF add-on specific to ES. ES can produce an add-on for your indexers, but that method can be used only in limited circumstances. See https://docs.splunk.com/Documentation/ES/7.2.0/Install/InstallTechnologyAdd-ons#Deploy_add-ons_to_forwarders for when it can be used and alternatives for other environments. I recommend manual installation of add-ons.

Re: Universal Forwarder Technology Add-On

Mohamad_Alaa — Sat, 25 Nov 2023 09:16:19 GMT

So if i have 50 devices i need to install the TA on all 50? lets assume cisco, fortinet, palo alto ...
So its not enough installing TA on idexers and already such devices are sending the logs to the indexer?

Re: Universal Forwarder Technology Add-On

PickleRick — Sat, 25 Nov 2023 09:37:22 GMT

TA_for_indexers contains only the installation part needed for indexers (definition of indexes) that are needed for ES to work. But it's just so that ES on its own is "fully installed".

Apart from that Splunk (and ES too) needs to know how to work with specific types of data provided by various kinds of sources. That's what TAs for those sources are for.

So yes, if you have 40 _types_ of devices, you might need 40 different TAs. Often TAs contain definitions, parsing rules and CIM-mappings for multiple sources from a single vendor (so you might not need to have a separate TA for every single type of Juniper firewalls, just a single TA able to parse JunOS events).

Re: Universal Forwarder Technology Add-On

Mohamad_Alaa — Sun, 26 Nov 2023 07:48:23 GMT

ok much clear,

i have cisco switches, tried to search for that Add-on but with no luck. I can see cisco ESA, WSA, ISE ... but not IOS as switches or routers?

Moreover, installation tab is empty they are not includes the installation steps

any advise here?

Re: Universal Forwarder Technology Add-On

PickleRick — Sun, 26 Nov 2023 19:15:35 GMT

Might be that those particular kinds of sources are not covered by any ready-made addons.

Splunk-supported Add-ons usually have their documentation on https://docs.splunk.com/

Third-party addons - well, here you're on your own and on mercy of the addon creator.