All Apps and Add-ons

Incapsula Splunk Integrator: How to configure the forwarder to send Incapsula logs (WAF) to Splunk Cloud?

Explorer

I have installed Incapsula.spl app on my forwarder. Please help me how to pull the logs to Splunk Cloud. I can see inputs.conf in the Incapsula folder. (is that some thing which i need to configure)?

[tcp://443]
index = incapsula
source = IncapsulaSyslog
connection_host = ip
sourcetype = incapsula
0 Karma

Splunk Employee
Splunk Employee

The inputs.conf will specify what data to collect. The outputs.conf on the forwarder will specify where to send the data.

To tell the forwarder to send data to Splunk Cloud you will need to download an spl file called splunkclouduf.spl which is a packaged app. You need to install this on the forwarder, this has the configured outputs.conf that will connect the forwarder to your Splunk cloud instance.

Here is our documentation on how to download the splunkclouduf.spl and install it on your forwarder.

https://docs.splunk.com/Documentation/SplunkCloud/latest/User/ForwardDataToSplunkCloudFromWindows#St...

Explorer

i have completed all those tasks, here my requirement is to get Incapsula log data to splunk Cloud. i need the configurations for that. i have the incapsula.spl app which i installed on the forwarder too. so now what configurations need to be changed in inputs.conf to push the data to splunk cloud
.

0 Karma

Splunk Employee
Splunk Employee

If you have installed the splunkclouduf.spl that app has an outputs.conf that will point the forwarder to Splunk Cloud.

So any inputs you have configured on your forwarder will send to what is configured in that outputs.conf regardless of what app the conf files are located.

So you have the inputs.conf which is trying to listen on port 443 for tcp traffic. The outputs.conf will send that data to Splunk Cloud.

If you aren't seeing that data in Splunk Cloud, make sure you have made the index that it expects "incapsula".

As well as making sure there are not any firewall rules blocking the port your trying to listen on.

Is this the first time you are forwarding data to Splunk Cloud from this forwarder?

0 Karma

Explorer

No , i'm working as splunk admin from past 3 years..... i think i haven't given clear requirement to you.

actually below is the requiremnt which We need to add the WAF logs to Splunk. In order to do this, you will need to configure a connector “pull” from the kiwi server and then a “push” to splunk cloud. The pull uses and api, for which there is a script available: https://github.com/Incapsula/logs-downloader

The connector settings:

[SETTINGS]
APIID=21630
APIKEY=
PROCESSDIR=
BASEURL=https://logs1.incapsula.com/764
220102/
USEPROXY=NO
PROXYSERVER=
SAVELOCALLY=YES
SYSLOG
ENABLE=NO
SYSLOGADDRESS=
SYSLOG
PORT=
USECUSTOMCAFILE=NO
CUSTOM
CA_FILE=

insted of doing above all steps ,i have installed incapsula.spl file on the forwarder to send log data directly to splunk cloud. so in "inputs.conf" file "connection_host = ip" do i need to provide ipaddress of WAF server?? is my doubt

0 Karma