Hello all,
I have a test environment on a RHEL 7 server that is running Tripwire Enterprise App for Splunk Enterprise and Splunk trial on the same machine. I've loaded the Tripwire Enterprise App on Splunk thinking that I don't need a heavy forwarder because it's a local ingest. I'm seeing the tripwire log data, but, although the Tripwire Enterprise App loads, no data shows up and there are no errors. I'm a relative new Splunker, so what am I missing?
Thanks for any help
Hi, were you able to resolve this issue? I'm facing the same error wherein I have installed my add-on in my test splunk instance and I can see tripwire logs but nothing seems to populate in the tripwire app. I don't seem to get any option to set-up the tripwire app either.
Happy to see you are using the App for Tripwire Enterprise and it sounds like you have a straigh forward install of the App on the Splunk Search Head. So you point TE log management toward Splunk and are getting logs.
Have you installed the Tripwire Enterprise Add-on for Splunk?
The Add-on collects FIM and SCM reports (changes and policy results) via API and formats them with CIM.
Happy Splunking!
Hi Jim,
Thanks for the response. That's basically the problem. I've got the add-on loaded but it's not doing anything. Is it because I don't have a heavy forwarder? The install details are not clear and the .spl files is the same for 3058 and 1828 so I'm not sure what I'm missing.
Just to be clear, apps 3058 and 1828 are not the same and the .SPLs are in fact different.
Then why is it when I try to download them, they try to overwrite each other? I go to both links and get the same .spl file.
Well...UGH!!! I must have been doing something wrong with the download, because I got the right file this time.
Thanks for your help!!
pshew! No problem, and glad you're sorted!
You should now have a tripwire-enterprise-app-for-splunk_200.zip AND A tripwire-enterprise-add-on-for-splunk_200.zip
You have been missing the tripwire-enterprise-add-on-for-splunk_200.zip 🙂
And just to reiterate...splunk and tripwire are running on the same RHEL 7 server. So I felt like a forwarder was not necessary.
We run TE and Splunk on the same Linux box as part of our standard demo kit for all SEs so there is no need for the heavy forwarder.
Also, the apps are different, so O sent you the add-on in e-mail so you can get it from there.
Thanks a lot Jim. That .spl file is the exact file I installed. I installed it without the heavy forwarder. The app runs, but I get "No Results Found" in any of the searches. I have log data though in the regular splunk app.
And are you getting login events for the Splunk user int he Tripwire logs?
No...and I think that's the problem now. I don't get prompted for a restart of splunk nor a setup screen after installing the .spl file. So I cannot set up a user that coincides with a user on TE.
You should be able to bring up the settings for the app in Manage Apps.
You put in an IP or FQDN, user, pass, and polling frequency for FIM and SCM.
Takes maybe 5 minutes and you should be good to go.
Are you logged in as admin when you install the app?
Thanks Jim,
I'm logged in as admin.
In the "manage apps" area this is all I see for TE app for splunk
Tripwire Enterprise App for Splunk tripwire_enterprise_app 2.0 Yes Yes App | Permissions Enabled | Disable Launch app | Edit properties | View objects | View details on SplunkApps
The Edit Properties area does not have a place to enter an IP or FQDN, user, pass, and polling frequency for FIM and SCM. I've been looking for that since the start of this.
I don't see where it should be.
Ah, OK, so you need to install the Add-On. 🙂
Tripwire Enterprise Add-on for Splunk TA_tripwire_enterprise 2.0
App | Permissions Enabled | Disable Set up | Edit properties | View objects | View details on SplunkApps
I did a quick video showing setup, never mind that I forgot my TE user password for the integration... https://www.screencast.com/t/oInPfrGao
Can you think of anything else I might be missing Jim? I've tried manually creating the app and turning off pop-ups for the browser. The configuration options don't show up.