topic Re: SplunkCloud Kiteworks integration in Splunk Cloud Platform

SplunkCloud Kiteworks integration

Paaattt — Fri, 07 Mar 2025 08:35:41 GMT

Need some guidance on SplunkCloud Kiteworks integration. We are utilizing built-in UF of Kiteworks found on admin console and sending it directly to cloud. Did you use the forwarder app package and how did you it? I don't have access to the client's KW console. All I know is currently it is asking us to upload 4 certificate files for tls and not the forwarder package app. The Splunk Cloud and Splunk Enterprise toggle button as well is disabled which is weird. I believe on lower version there no option for that but we have.

Re: SplunkCloud Kiteworks integration

livehybrid — Fri, 07 Mar 2025 12:38:23 GMT

Hi @Paaattt

Are you using Splunk Cloud as your destination? If so you'll need to download the UF app download package which will contain your certificates, and if not you'll need to gather them from your Splunk Enterprise deployment (the location may depend on your setup).

Kiteworks requires separate files for the server certificate, intermediate certificate, root certificate, and private key for TLS setup. Typically for Splunk we combine these in a single PEM file, but Kiteworks needs them as distinct files.

Obtain your Splunk PEM certs, this would be inside the UF forwarder app if you're using Splunk Cloud.
Split out the certs/keys into individual certificates (server, intermediate, root) and the private key in separate files.
Verify that the certificates are in the correct format (PEM) and the private key is in RSA format

Once you have these files you should be able to upload these to KiteWorks which will then hopefully allow you to enable to output to Splunk.

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

Re: SplunkCloud Kiteworks integration

Paaattt — Fri, 07 Mar 2025 16:26:53 GMT

Hi Will,

Did you separate them just by a text editor. Or you did additional steps? (e.g passphrase to decrypt the pem file, ssl password if needed , etc)

Thanks,

Patrick

Re: SplunkCloud Kiteworks integration

livehybrid — Fri, 07 Mar 2025 17:34:37 GMT

Hi @Paaattt

Ye the file is ultimately a text file so you can use any regular text editor to edit and copy the contents into new files.

Good point about the encrypted key, Does Kiteworks offer a field for SSL Password (which will be in your UF app). If not you will need to remove the encrpytion from the key before you add it to Kiteworks

Use something like this

openssl rsa -in encrypted_key.pem -out decrypted_key.pem

When you run this command, OpenSSL will prompt you to enter the current password for the private key. After you provide the correct password, it will output the decrypted private key to the specified output file.

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

Re: SplunkCloud Kiteworks integration

Paaattt — Sat, 08 Mar 2025 16:13:23 GMT

Hi @livehybrid ,

Thank you. So Kiteworks accepts the following

SSL certificate
SSL Password
Root Certificate
Intermediate Certificate

So yeah I can move them to separate pem file. My remaining problem is the SSL Password key. Splunk told me that the passphrase is located in $SPLUNK_HOME/etc/apps/100_**/local/outputs.conf.
[tcpout]
sslPassword = [value]

I decrypted the value using
$SPLUNK_HOME/bin/splunk show-decrypted --value '<encrypted_value>'

Unfortunately it is giving me this error
139750988822336:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:crypto/evp/evp_enc.c:603:
139750988822336:error:0906A065:PEM routines:PEM_do_header:bad decrypt:crypto/pem/pem_lib.c:461:

A bad decrypt. What do you think did I miss? I am doubting the ssl password. But if this is the right step I need to try again and see how it goes.

Re: SplunkCloud Kiteworks integration

livehybrid — Sun, 09 Mar 2025 08:15:34 GMT

Hi @Paaattt

Are you able to get the password from the UF App downloaded from Splunk Cloud, rather than from a running Splunk instance?

If you are trying to decrypt the value in a running instance, does it start $7? (If so you should be able to use the show-decrypted command - but remember to quote it so it doesnt try and resolve a variable starting $)

$SPLUNK_HOME/bin/splunk show-decrypted --value '<encrypted_value>'

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

Re: SplunkCloud Kiteworks integration

Paaattt — Sun, 09 Mar 2025 08:40:06 GMT

Thanks @livehybrid . Looks like I am decrypting it wrong. Need to ad '' as prefix and suffix. All good now. Thank you!!!

Re: SplunkCloud Kiteworks integration

Paaattt — Mon, 10 Mar 2025 03:17:45 GMT

Hi @livehybrid ,

I just have another question. The certificate works and we are now doing the ingestion. Thank you for that. On the Admin guide. I have to do the following on Splunk Cloud:

1. Create Index
2. Enable receiver 9997
3. Enable TCP Inputs 514

We got a blocker on TCP Inputs. Ideally should be easy as like Settings > Data Inputs > Forwarded Inputs > TCP on the HF. But our approach is on Splunk Cloud (We don't use HF on this data even if we have for others. Project decided to have a saas to saas integration for KW). Now the prompt looks like this

"You currently don't have any forwarders installed. If you've recently installed a new forwarder, click the refresh button below to reload page."

Refreshing it does nothing.
While I understand this on an on-prem deployment perspective. I can't fully understand the project's approach. the Admin guide provided as well is not helpful. No troubleshooting part for Splunk Cloud.

How did you proceed on the ingestion piece?

Re: SplunkCloud Kiteworks integration

Vardhan — Wed, 05 Nov 2025 05:18:42 GMT

Hi @Paaattt ,

Recently I have onboarded the Kiteworks logs using inbuilt Kiteworks syslog mechanism to forward the logs to Syslog server. There is no option to select the log category, it will just send all the logs to Syslog server. So, my question is how can we make those logs CIM compliant and map it o Splunk data models. Currently there is only one single App(Kiteworks CISO dashboard app) is available and it doesn't contain any props.conf for log extractions.

How did you manage those logs to map it to Splunk data models? could you please help here?