All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Tripwire IP360 on Splunk Enterprise: Not pulling data

jkcrossCRMC
Engager
‎11-01-2019 12:01 PM

To the best of my knowledge after following Splunk guides and the Tripwire App PDF, I am unable to get data to the Tripwire IP360 App for Splunk Enterprise (that I downloaded current from Tripwire). When I visit the app, it only says 'No results found'. Below is a list of everything I have done so far

  • Enabled remote access to my Splunk search head on the VNE
  • Installed OpenJDK 1.8.0.232 on Splunk
  • Installed Splunk DB Connect 3.2.0
    • Created an identity to match the username and password defined on the VNE remote access properties
    • Created a connection using PostgreSQL using the properties define on the remote access page of the VNE
    • There are no errors with the Identity or Connection setup
  • Installed the Tripwire IP360 Splunk Add-on
    • Left the default configuration (DBX v3)
  • Installed the Tripwire IP360 Splunk App
  • Made firewall rules to allow communication between the VNE and Splunk for port 5432 for PostgreSQL

I've done everything that the setup PDF that came with the IP360 Splunk App said to do as well as followed the guides on Splunkbase for the Splunk DB Connect configuration, but the IP360 App in Splunk shows no data. If I go to SQL Explorer in DB Connect and select the Connection and Catalog that was set up in Tripwire, I'm able to view schemas and tables within the SQL DB.

What am I missing?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jkcrossCRMC
Engager
‎11-22-2019 08:09 AM

Issue is now resolved. Everything was correct with our setup and configuration. The problem was that the Tripwire IP360 App was supposed to create two inputs in the Splunk DB Connect app in Splunk DB Connect > Data Lab > Inputs but did not. A Tripwire support rep told us that this was supposed to happen automatically after the full server restart. Once we applied updates to our server for routine maintenance, the inputs were created, and the dashboard began populating now Splunk knew what to do with the Tripwire logs.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

jkcrossCRMC
Engager
‎11-22-2019 08:09 AM

Issue is now resolved. Everything was correct with our setup and configuration. The problem was that the Tripwire IP360 App was supposed to create two inputs in the Splunk DB Connect app in Splunk DB Connect > Data Lab > Inputs but did not. A Tripwire support rep told us that this was supposed to happen automatically after the full server restart. Once we applied updates to our server for routine maintenance, the inputs were created, and the dashboard began populating now Splunk knew what to do with the Tripwire logs.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...