I am using tripwire app for splunk and I want to control what the splunk app pulles from tripwire.
for example I want it to pull the policy test status without pulling the full element.
is there any way I can do that ?
also I have two tripwire instance with Distributed splunk Installations and its connected to one tripwire instance but the other is not.
Can you tell more about event sender the one provided by tripwire , is it designed to send the data over to splunk or it requires a bit of scripting ?
For controlling data pulled from the app I saw that i can change permissions for each object in the app will that do the trick ?
With regards to connection issue , I dropped the host firewall but I dont see any logs in splunk or tripwire . The app works well for the first Tripwire console but no logs or connection for the second one. After installing the app for second Te console it doesn’t create directories for FIM and SCM.
The free app isn't designed to pull summary for test results, We do have a premium extension called Event Sender that would do this.
With regard to the connection issue, are you seeing failed authentication or anything of that sort in the TE logs for that? Also, could it be an intervening network or host firewall/IPS?
I configured the settings for first TE console then copied it the same settings for second TE console in dir named TA-tripwire_enterprise_FWD2 but somehow the connection logs show only communication with the first TE console as for the second it doesn't detect it.
as for controlling what data pulled , I want the app to just show how many test results are failing or passing without showing the full details.
The scenario for setup of the distributed Splunk install for 2 TE consoles should be included in the 3.0.0 documentation. The only "trick" is to manage the settings off the "first" configuration built.
So in your case you will setup a configuration for the first TE console, duplicate it, and then modify the primary configuration to point to the second TE console while leaving the duplicated configuration for the first TE console.
With regard to you Policy Test Results and full element content, can you specify, is this a matter of wanting information from Detailed Test Results but NOT wanting Detailed Changes? Or another scenario?