I try to test your application to audit an Isilon Cluster.
I'm running splunk v6.1 on my server.
First I installed the EMC CEE Framework and configure it in the regedit to enabled it.
Twice I configure my cluster with the CEE url.
Third I installed your apps on splunk.
Fourth I configure your app in managed input (splunkweb).
I doesn't find the file emcceeconfig.xml, could indicated where I can found it.
For the moment I didn't have any input in the index (created for that) of splunk.
Have you tried using the Splunk App for Stream? You could configure it on the server that mounts the directories, and specifically monitor any port and protocol required. Events will be collected from the wire and logged as JSON events into Splunk.
find below how I it worked for me
1> Installation of splunk and the EMC CEE Framework on Linux and configuration of the EMC CEE Framework to forward the logs to the app. The file to amend is the following here : /opt/CEEPack/emcceeconfig.xml
<Audit> <Configuration> <Enabled>1</Enabled> <EndPoint>Splunk@http://IP.1.2.3:12229</EndPoint> </Configuration> </Audit>
2> Configuration of the Isilon cluster to send logs to the EMC CEE Framework : http://IP.1.2.3:12228/CEE
3> Installation of the app in Splunk
4 >Configuration of the app via splunk : data source > EMC CEPA > Isilon > advanced config
5>Activation of the lookups(ntstatus, flag and event)
In my case the event_code.csv is not correct and I had to modify it as follow :
But this is only my best interpretation : I'd rather use an official EMC reference.
Anyone aware of where the official table might be hidden ?
The CEE TA shouldn't be used with Isilon. Isilon supports sending audit logs directly to syslog. Search for the Isilon add-on and app in splunkbase and install that. There are also instructions on how to configure the cluster to send the logs to a syslog server.