I have a test environment on a RHEL 7 server that is running Tripwire Enterprise App for Splunk Enterprise and Splunk trial on the same machine. I've loaded the Tripwire Enterprise App on Splunk thinking that I don't need a heavy forwarder because it's a local ingest. I'm seeing the tripwire log data, but, although the Tripwire Enterprise App loads, no data shows up and there are no errors. I'm a relative new Splunker, so what am I missing?
Thanks for any help
Hi, were you able to resolve this issue? I'm facing the same error wherein I have installed my add-on in my test splunk instance and I can see tripwire logs but nothing seems to populate in the tripwire app. I don't seem to get any option to set-up the tripwire app either.
Happy to see you are using the App for Tripwire Enterprise and it sounds like you have a straigh forward install of the App on the Splunk Search Head. So you point TE log management toward Splunk and are getting logs.
Have you installed the Tripwire Enterprise Add-on for Splunk?
The Add-on collects FIM and SCM reports (changes and policy results) via API and formats them with CIM.
Thanks for the response. That's basically the problem. I've got the add-on loaded but it's not doing anything. Is it because I don't have a heavy forwarder? The install details are not clear and the .spl files is the same for 3058 and 1828 so I'm not sure what I'm missing.
pshew! No problem, and glad you're sorted!
You should now have a tripwire-enterprise-app-for-splunk_200.zip AND A tripwire-enterprise-add-on-for-splunk_200.zip
You have been missing the tripwire-enterprise-add-on-for-splunk_200.zip 🙂
We run TE and Splunk on the same Linux box as part of our standard demo kit for all SEs so there is no need for the heavy forwarder.
Also, the apps are different, so O sent you the add-on in e-mail so you can get it from there.
Thanks a lot Jim. That .spl file is the exact file I installed. I installed it without the heavy forwarder. The app runs, but I get "No Results Found" in any of the searches. I have log data though in the regular splunk app.
No...and I think that's the problem now. I don't get prompted for a restart of splunk nor a setup screen after installing the .spl file. So I cannot set up a user that coincides with a user on TE.
You should be able to bring up the settings for the app in Manage Apps.
You put in an IP or FQDN, user, pass, and polling frequency for FIM and SCM.
Takes maybe 5 minutes and you should be good to go.
Are you logged in as admin when you install the app?
I'm logged in as admin.
In the "manage apps" area this is all I see for TE app for splunk
Tripwire Enterprise App for Splunk tripwire_enterprise_app 2.0 Yes Yes App | Permissions Enabled | Disable Launch app | Edit properties | View objects | View details on SplunkApps
The Edit Properties area does not have a place to enter an IP or FQDN, user, pass, and polling frequency for FIM and SCM. I've been looking for that since the start of this.
I don't see where it should be.
Ah, OK, so you need to install the Add-On. 🙂
Tripwire Enterprise Add-on for Splunk TA_tripwire_enterprise 2.0
App | Permissions Enabled | Disable Set up | Edit properties | View objects | View details on SplunkApps
I did a quick video showing setup, never mind that I forgot my TE user password for the integration... https://www.screencast.com/t/oInPfrGao