Solved: How to set up configuration in SPlunk for Tanium

sahiltcs · ‎04-08-2019

I installed Splunk Tanium app in my environment, Can you please help me for the configuration in Splunk for tanium

In which configuration file i need to edit and get the data in SPlunk for tanium

muralikoppula · ‎04-08-2019

Step 1:

Configure syslog on source(Tanium) side to send logs to syslog.
https://docs.tanium.com/connect/connect/siem.html

Step 2:

monitor tanium logs from syslog server

inputs.conf on HF: Example

[monitor:///syslog/tanium//.log]
disabled = 0
followTail = 0
host =
host_segment = 3
index = main
sourcetype = tanium
crcSalt =

props.conf exaple on HF

[tanium]
KV_MODE = json
MAX_TIMESTAMP_LOOKAHEAD = 16
NO_BINARY_CHECK = true
SEDCMD-strip_prefix = s/^[^{]+//g
SHOULD_LINEMERGE = false
TIME_FORMAT = %b %d %H:%M:%S
TIME_PREFIX = ^
category = Custom
disabled = false
pulldown_type = true

Hope this helps...

View solution in original post

muralikoppula · ‎04-08-2019

Step 1:

Configure syslog on source(Tanium) side to send logs to syslog.
https://docs.tanium.com/connect/connect/siem.html

Step 2:

monitor tanium logs from syslog server

inputs.conf on HF: Example

[monitor:///syslog/tanium//.log]
disabled = 0
followTail = 0
host =
host_segment = 3
index = main
sourcetype = tanium
crcSalt =

props.conf exaple on HF

[tanium]
KV_MODE = json
MAX_TIMESTAMP_LOOKAHEAD = 16
NO_BINARY_CHECK = true
SEDCMD-strip_prefix = s/^[^{]+//g
SHOULD_LINEMERGE = false
TIME_FORMAT = %b %d %H:%M:%S
TIME_PREFIX = ^
category = Custom
disabled = false
pulldown_type = true

Hope this helps...

sahiltcs · ‎04-08-2019

Thanks it really helps me 🙂

How to set up configuration in SPlunk for Tanium

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases