All Apps and Add-ons

Tripwire Enterprise App for Splunk Enterprise: Why am I not able to see data in the app?

New Member

Hello all,

I have a test environment on a RHEL 7 server that is running Tripwire Enterprise App for Splunk Enterprise and Splunk trial on the same machine. I've loaded the Tripwire Enterprise App on Splunk thinking that I don't need a heavy forwarder because it's a local ingest. I'm seeing the tripwire log data, but, although the Tripwire Enterprise App loads, no data shows up and there are no errors. I'm a relative new Splunker, so what am I missing?

Thanks for any help

0 Karma

New Member

Hi, were you able to resolve this issue? I'm facing the same error wherein I have installed my add-on in my test splunk instance and I can see tripwire logs but nothing seems to populate in the tripwire app. I don't seem to get any option to set-up the tripwire app either.

0 Karma

Path Finder

Happy to see you are using the App for Tripwire Enterprise and it sounds like you have a straigh forward install of the App on the Splunk Search Head. So you point TE log management toward Splunk and are getting logs.

Have you installed the Tripwire Enterprise Add-on for Splunk?
https://splunkbase.splunk.com/app/3058/

The Add-on collects FIM and SCM reports (changes and policy results) via API and formats them with CIM.

Happy Splunking!

0 Karma

New Member

Hi Jim,

Thanks for the response. That's basically the problem. I've got the add-on loaded but it's not doing anything. Is it because I don't have a heavy forwarder? The install details are not clear and the .spl files is the same for 3058 and 1828 so I'm not sure what I'm missing.

Thanks

Tim

0 Karma

Path Finder

Just to be clear, apps 3058 and 1828 are not the same and the .SPLs are in fact different.

0 Karma

New Member

Then why is it when I try to download them, they try to overwrite each other? I go to both links and get the same .spl file.

0 Karma

New Member

Well...UGH!!! I must have been doing something wrong with the download, because I got the right file this time.

Thanks for your help!!

0 Karma

Path Finder

pshew! No problem, and glad you're sorted!

You should now have a tripwire-enterprise-app-for-splunk_200.zip AND A tripwire-enterprise-add-on-for-splunk_200.zip

You have been missing the tripwire-enterprise-add-on-for-splunk_200.zip 🙂

0 Karma

New Member

And just to reiterate...splunk and tripwire are running on the same RHEL 7 server. So I felt like a forwarder was not necessary.

0 Karma

Path Finder

We run TE and Splunk on the same Linux box as part of our standard demo kit for all SEs so there is no need for the heavy forwarder.

Also, the apps are different, so O sent you the add-on in e-mail so you can get it from there.

0 Karma

New Member

Thanks a lot Jim. That .spl file is the exact file I installed. I installed it without the heavy forwarder. The app runs, but I get "No Results Found" in any of the searches. I have log data though in the regular splunk app.

0 Karma

Path Finder

And are you getting login events for the Splunk user int he Tripwire logs?

0 Karma

New Member

No...and I think that's the problem now. I don't get prompted for a restart of splunk nor a setup screen after installing the .spl file. So I cannot set up a user that coincides with a user on TE.

  1. Install app in Splunk Enterprise a. Navigate to "Manage Apps" then "Install app from file" b. Select the ".spl" file containing the Tripwire Add-on and click upload c. Restart Splunk as prompted d. Fill in the setup screen as prompted i. Use only a Tripwire Enterprise username with limited "read only" access. ii. Check the box to 'monitor data on forwarders' ONLY IF Tripwire data will be retrieved by a Heavy Forwarder and not the core Splunk instance (see section 6. below)
0 Karma

Path Finder

You should be able to bring up the settings for the app in Manage Apps.

You put in an IP or FQDN, user, pass, and polling frequency for FIM and SCM.

Takes maybe 5 minutes and you should be good to go.

Are you logged in as admin when you install the app?

0 Karma

New Member

Thanks Jim,

I'm logged in as admin.

In the "manage apps" area this is all I see for TE app for splunk

Tripwire Enterprise App for Splunk tripwire_enterprise_app 2.0 Yes Yes App | Permissions Enabled | Disable Launch app | Edit properties | View objects | View details on SplunkApps

The Edit Properties area does not have a place to enter an IP or FQDN, user, pass, and polling frequency for FIM and SCM. I've been looking for that since the start of this.

I don't see where it should be.

0 Karma

Path Finder

Ah, OK, so you need to install the Add-On. 🙂

Tripwire Enterprise Add-on for Splunk TA_tripwire_enterprise 2.0

Yes

No
App | Permissions Enabled | Disable Set up | Edit properties | View objects | View details on SplunkApps

I did a quick video showing setup, never mind that I forgot my TE user password for the integration... https://www.screencast.com/t/oInPfrGao

0 Karma

New Member

Can you think of anything else I might be missing Jim? I've tried manually creating the app and turning off pop-ups for the browser. The configuration options don't show up.

Thanks

0 Karma