I am trying to install the Cylance app in a distributed environment. But I am not sure where the inputs.conf file should be. Should they be located on the search head or the indexer?
Any help is appreciated.
Thanks.
The inputs.conf will need to be on the collecting machine which sounds like in your case on the indexer (but more preferably a heavy forwarder if you have one).
However there are actually 2 different apps and it depends on whether you are planning on having Cylance send you syslog data or if you are going to pull the "Threat Daily Report" from Cylance's API.
If you are going the syslog route then you actually need to install this app https://splunkbase.splunk.com/app/3709/ on the forwarder or indexer otherwise if using the API method, then "CylancePROTECT App for Splunk" is the app you need on both search head and the indexer (or heavy forwarder). Note that the inputs.conf needs the rest of the app as it points to several scripts in the bin folder of the app.
Did this ever get resolved? im having the same issue and would love to know how the key exchange works.
@worshamn Thank you very much.
Also, the does the inputs.conf stanza necessarily have to be [tcp-ssl://6514] ?
I only use the API, though I would assume that is upto Cylance when it is setup. But I do know that port is one of the standard ports for syslog over SSL and is also one that SE Linux already supports.
@worshamn What type of ssl certificate does Cylance App require? Any insights will be appreciated.
Thank you.
Again I only use the API which is a pull model and doesn't involve a required SSL cert. I have done other SSL syslog setups (not with Cylance) and those would accept self-signed certs as the connection is only between you and them but it would be best to check with Cylance if they allow and you are going to do a syslog connection--if you are setting up syslog you will have to get them your cert anyhow.
The inputs.conf will need to be on the collecting machine which sounds like in your case on the indexer (but more preferably a heavy forwarder if you have one).
However there are actually 2 different apps and it depends on whether you are planning on having Cylance send you syslog data or if you are going to pull the "Threat Daily Report" from Cylance's API.
If you are going the syslog route then you actually need to install this app https://splunkbase.splunk.com/app/3709/ on the forwarder or indexer otherwise if using the API method, then "CylancePROTECT App for Splunk" is the app you need on both search head and the indexer (or heavy forwarder). Note that the inputs.conf needs the rest of the app as it points to several scripts in the bin folder of the app.