Can anyone give fairly detailed instruction on how to install the Tripwire Enterprise AddOn. Our Splunk configuration is 5 servers, a search head server, 2 indexers, a heavy forwarder, and a deployment server. We have a single instance of Tripwire Enterprise and a specific user created currently with admin privileges to the console until I can get this working.
I installed the addon as directed by the TE installation instructions on my search head. I went through the setup screen, although I did not choose to use the API. Is it necessary to do that? It didn't seem like it was during setup. I copied the TA folder to my heavy forwarder and created the input locations as designated. I copied the SA folder to my indexers and also copied the two indexes from the app into my indexes.conf on my deployment server to be distributed to all my Splunk boxes so they all know about the indexes for TE.
I can do a tcpdump on my heavy forwarder and see logs coming from my TE console server, although not on port 514 as I would expect. I cannot see anything for my TE server going from my heavy forwarder to my indexers, nor do I see anything in searching in the te index on my search head. I'm fairly new to Splunk and just starting to get a handle on how to configure things. This is my first attempt at configuring an app that wasn't configured by PS, so I'm sure I have something set up incorrectly, but hoping that someone will be able to give a little better detail in how this needs to be configured as the TE installation document seems to be lacking a bit in detail. THanks.
I wanted to update this in case someone comes along and is having issues with this install. Here are the details of how I did the install to get it working, and potential pitfalls. Again, this is for a distributed installation with a single instance of Tripwire Enterprise, but should be similar for others. I will not go into much detail where the Tripwire document does a pretty good job of detailing it. The document can be found in the zip file that you download from Tripwire with the addon and is a pdf file.
First, you will need to make a Tripwire Enterprise user as indicated, but what it doesn't give is detail on creating a specific role for that user and changing the TE server properties to allow that user to login via the SOAP API to TE. So, what you'll want to do first is in TE, go to Settings and Roles and create a new role (name it whatever you want) and give it the privileges defined in the pdf to that role. Then, create your user and assign it the role you just created. Make sure to add your user into your AD if you are using AD as your login method, or the new user won't be able to login at all. Additionally, you will need to login to your TE console server(s) and locate the server.properties file located in the /$TEinstalldir$/TE/Server/data/config and change the following entry from true to false: tw.securityAuditLog.enabled. This is true by default and only allows the built-in admin account for TE to access to the SOAP API, so this MUST be changed to use a different account. Of course, restart your TE server service after making this change.
Once this is all done, you can install the addon on the search head (has to be on the search head, not deployment server), and input the configs for your TE console. One hang up I had was in step 3 of the document for distributed install, it says "Fill in the Setup screen config parameters as if you were configuring the settings from your heavy forwarder". Not sure what they mean by that, but the only thing you configure related to the heavy forwarder is to check the box for "Monitor data on forwarders". The rest of the settings like IP etc. still need to be your TE console server.
The next steps are pretty good in the document accept one hiccup I had possibly came from not getting all the permissions transferred right from the search head to my other boxes. The best way I found to do this was to tar the entire directory, i.e.
tar -czvf filename.tar.gz /TA-tripwire_enterprise_FWD, which creates a tar file that you can then move to the other server and then untar it using tar -xpzvf (the p switch tells it to keep all permissions) filename.tar.gz. Of course make sure you have the file in the right place to untar it etc. This kept the permissions in tact. There are probably other methods as well, but this is what I found worked well and easy. The TA dir. goes to the heavy forwarder and any other search heads. THe SA only goes to indexers.
Once you get all the rest of the steps (pretty straightforward) complete, you should be able to go to the /opt/teexports dir (for Splunk on LInux - Windows is diff) and see new folders being created for FIM, SCM etc. There will also be csv files that get created, but make sure to watch them for size. If they are just created but the size stays at 0, something's wrong.
To check for any issues, you can check the log file at $SPLUNKHOME/var/log/splunk/tripwire.log. The standard place for LInux would be /opt/splunk/var/log/splunk/tripwire.log, unless your splunkhome was intentionally placed somewhere else. A couple errors I got in this log were: ERROR: Exception in tripwire.py along with "The username or password is incorrect'. This occurred because I hadn't created my user in AD yet, so it couldn't log in to TE at all. Another error was ERROR: Exception in tripwire.py along with 'ONly the built-in administrator can access the SOAP API while in Common Criteria mode' This was due to not switching the server.properties setting to false instead of true, which was blocking my new user from accessing the TE API.
I hope this helps anyone looking at this.
I wanted to update this in case someone comes along and is having issues with this install. Here are the details of how I did the install to get it working, and potential pitfalls. Again, this is for a distributed installation with a single instance of Tripwire Enterprise, but should be similar for others. I will not go into much detail where the Tripwire document does a pretty good job of detailing it. The document can be found in the zip file that you download from Tripwire with the addon and is a pdf file.
First, you will need to make a Tripwire Enterprise user as indicated, but what it doesn't give is detail on creating a specific role for that user and changing the TE server properties to allow that user to login via the SOAP API to TE. So, what you'll want to do first is in TE, go to Settings and Roles and create a new role (name it whatever you want) and give it the privileges defined in the pdf to that role. Then, create your user and assign it the role you just created. Make sure to add your user into your AD if you are using AD as your login method, or the new user won't be able to login at all. Additionally, you will need to login to your TE console server(s) and locate the server.properties file located in the /$TEinstalldir$/TE/Server/data/config and change the following entry from true to false: tw.securityAuditLog.enabled. This is true by default and only allows the built-in admin account for TE to access to the SOAP API, so this MUST be changed to use a different account. Of course, restart your TE server service after making this change.
Once this is all done, you can install the addon on the search head (has to be on the search head, not deployment server), and input the configs for your TE console. One hang up I had was in step 3 of the document for distributed install, it says "Fill in the Setup screen config parameters as if you were configuring the settings from your heavy forwarder". Not sure what they mean by that, but the only thing you configure related to the heavy forwarder is to check the box for "Monitor data on forwarders". The rest of the settings like IP etc. still need to be your TE console server.
The next steps are pretty good in the document accept one hiccup I had possibly came from not getting all the permissions transferred right from the search head to my other boxes. The best way I found to do this was to tar the entire directory, i.e.
tar -czvf filename.tar.gz /TA-tripwire_enterprise_FWD, which creates a tar file that you can then move to the other server and then untar it using tar -xpzvf (the p switch tells it to keep all permissions) filename.tar.gz. Of course make sure you have the file in the right place to untar it etc. This kept the permissions in tact. There are probably other methods as well, but this is what I found worked well and easy. The TA dir. goes to the heavy forwarder and any other search heads. THe SA only goes to indexers.
Once you get all the rest of the steps (pretty straightforward) complete, you should be able to go to the /opt/teexports dir (for Splunk on LInux - Windows is diff) and see new folders being created for FIM, SCM etc. There will also be csv files that get created, but make sure to watch them for size. If they are just created but the size stays at 0, something's wrong.
To check for any issues, you can check the log file at $SPLUNKHOME/var/log/splunk/tripwire.log. The standard place for LInux would be /opt/splunk/var/log/splunk/tripwire.log, unless your splunkhome was intentionally placed somewhere else. A couple errors I got in this log were: ERROR: Exception in tripwire.py along with "The username or password is incorrect'. This occurred because I hadn't created my user in AD yet, so it couldn't log in to TE at all. Another error was ERROR: Exception in tripwire.py along with 'ONly the built-in administrator can access the SOAP API while in Common Criteria mode' This was due to not switching the server.properties setting to false instead of true, which was blocking my new user from accessing the TE API.
I hope this helps anyone looking at this.
@ron_brown If your problem is resolved, please accept the answer to help future readers.
I'm going to be a little more specific with a question at this point to hopefully find the information I need, although I think it would be beneficial to the community for someone to respond to the initial question. I reinstalled the addon and everything appears to be correct, however I see logs coming in to syslog from my TE console to the heavy forwarder server, but those syslogs are not getting to the /opt/teexports directory tree as they are supposed to for the heavy forwarder to pick them up. AFter I created the /opt/teexports directory, Splunk did add dir's for FIM and SCR and a couple of .csv files under those folders, but there aren't any .log files and the .csv files are empty, so nothing for the heavy forwarder to pick up and send to my indexers. The question I have is how do I get the incoming syslogs to drop into that /opt/teexports directory and go into the appropriate folders? This is not defined at all in the Tripwire addon installation directions. I have a splunk.conf file configured under rsyslog.d for a couple of other syslog sources including firewalls and email security, but those are very simple, basically just monitoring a from IP then drop into the correct directory and file location to be picked up by the heavy forwarder. With TE having multiple different dir's and files to write info into, there must be more specific definitions, but I don't know what those would be. Thanks for any help with this.