All Apps and Add-ons

How to install the Security Query based App for RSA Security Analytics in a distributed search environment, and how to poll my queries with separate brokers and concentrators?

Communicator

Hello;

I am excited to try this newly released app, and have a few questions:

  1. My setup has several brokers and concentrators, none combined; each broker and concentrator a separate server. Any recommendations for best way to deploy/poll my queries?

  2. My Splunk setup is a distributed. Should this app be installed on my indexers only?

Thank you,

-mi

0 Karma

Path Finder

Hi,

Not sure why you would have brokers if all your concentrators are separate but that aside I understand your question.

For 1) - What you need to do is create multiple configuration files and create an inputs.conf in /local/ to reference them as in the example below:

[script://./bin/nwsdk_query.py nwsdk_query_concentratorA]
interval = 60
sourcetype = netwitness
passAuth = splunk-system-user

[script://./bin/nwsdk_query.py nwsdk_query_concentratorB]
interval = 60
sourcetype = netwitness
passAuth = splunk-system-user

[script://./bin/nwsdk_query.py nwsdk_query_brokerC]
interval = 60
sourcetype = netwitness
passAuth = splunk-system-user

Each of the nwsdkquery*.conf files would then have a different URL for access and possibly a different query too. They would also need a separate tracking file so really you don't want any overlap in the configuration other than the username/password combination used for access.

For question 2) - You only need to install the app on your indexers for now. All Dashboards are still only in the original app ( https://splunkbase.splunk.com/app/770/ ).

Hope this helps!

Regards,

Rui

Communicator

Thank you Rui!

With regards to the separate broker and concentrator, we are running our infra on VM's, and they came separate. Also, we are looking at how we will decrypt SSL traffic, thus far our plans require separate broker to decoder.

I'll keep you posted on my install as I make progress, which won't be for a few weeks at best.

0 Karma

Path Finder

Sounds good, do keep me posted and reach out if you have any issues.

On the broker/concentrator topic, I think you mean decoder not broker based on SSL decryption, if that's the case I wouldn't try to connect to it with this app, it's really only meant for concentrators or brokers, regardless, probably not a discussion for this forum, my e-mail is on the app so please reach out directly if you have any questions or think we need to discuss this further.

Thank you,

Rui

0 Karma

Communicator

Yes, two decoders, one to capture non-SSL, the other to receive from a decryption device; both the same concentrator.

Will send via PM.

Thank you,

-mi

0 Karma