Security

Universal Forwarder Technology Add-On

Mohamad_Alaa
Path Finder

Dear Team,

I installed enterprise security on the search head and downloaded Splunk_TA_ForIndexer from ES General settings

now i am stuck for UF technology add-on, from where i can find it? no option from the ES interface and i can't find it on splunkbase portal
I tried multiple search keyword on splunkbase with no luck

Labels (1)
0 Karma
1 Solution

PickleRick
SplunkTrust
SplunkTrust

Might be that those particular kinds of sources are not covered by any ready-made addons.

Splunk-supported Add-ons usually have their documentation on https://docs.splunk.com/

Third-party addons - well, here you're on your own and on mercy of the addon creator.

View solution in original post

0 Karma

Mohamad_Alaa
Path Finder

I appreciate all your efforts,
Now to make things clear,
1- Does i need to install TA Add-on on UF regarding ES? (yes or no) noting that all my values on the security posture dashboard still zero although i enabled all correlation searches
2- If yes i need on UF, from where i can download it? noting that i didn't find any TA on splunkbase

thanks once again

0 Karma

richgalloway
SplunkTrust
SplunkTrust

First, do NOT enable all ES correlation searches.  That will cause more problems than it will solve.  Enable only the correlation searches that pertain to your use cases and for which you have data ingested in Splunk.

Where a TA should be installed depends on what the TA does.  The installation instructions for the TA should specify the location.  If it doesn't use the "Where to install" I link I provided earlier.  Generally speaking, it can't hurt to install a TA on both indexers and UFs.

Splunkbase is the source for most Splunk TAs.  Others can be downloaded from the vendors that created them for their products.  Still others are available from GitHub.  It can be difficult to locate a TA without knowing the name, however.  What do you want the TA to do?  Perhaps we can help you find something appropriate.

---
If this reply helps you, Karma would be appreciated.

Mohamad_Alaa
Path Finder

can u share the TA UF, specifically used for ES?
Or the download link or any helpful screenshot

0 Karma

richgalloway
SplunkTrust
SplunkTrust

There is no UF add-on specific to ES.  ES can produce an add-on for your indexers, but that method can be used only in limited circumstances.  See https://docs.splunk.com/Documentation/ES/7.2.0/Install/InstallTechnologyAdd-ons#Deploy_add-ons_to_fo... for when it can be used and alternatives for other environments.  I recommend manual installation of add-ons.

---
If this reply helps you, Karma would be appreciated.
0 Karma

PickleRick
SplunkTrust
SplunkTrust

Again - there is no such thing as "add on for UF". There are several different add-ons (which you install on various components of your Splunk Infrastructure, including UFs) needed for specific solution you want to ingest data from.

So if you want to process logs from Checkpoint firewalls, you use TA for Checkpoint. If you get logs from Proofpoint you install UF for Proofpoint. And so on.

 

0 Karma

Mohamad_Alaa
Path Finder

So if i have 50 devices i need to install the TA on all 50? lets assume cisco, fortinet, palo alto ...
So its not enough installing TA on idexers and already such devices are sending the logs to the indexer?

0 Karma

PickleRick
SplunkTrust
SplunkTrust

TA_for_indexers contains only the installation part needed for indexers (definition of indexes) that are needed for ES to work. But it's just so that ES on its own is "fully installed".

Apart from that Splunk (and ES too) needs to know how to work with specific types of data provided by various kinds of sources. That's what TAs for those sources are for.

So yes, if you have 40 _types_ of devices, you might need 40 different TAs. Often TAs contain definitions, parsing rules and CIM-mappings for multiple sources from a single vendor (so you might not need to have a separate TA for every single type of Juniper firewalls, just a single TA able to parse JunOS events).

0 Karma

Mohamad_Alaa
Path Finder

ok much clear,

i have cisco switches, tried to search for that Add-on but with no luck. I can see cisco ESA, WSA, ISE ... but not IOS as switches or routers?

Moreover, installation tab is empty they are not includes the installation steps

any advise here?

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Might be that those particular kinds of sources are not covered by any ready-made addons.

Splunk-supported Add-ons usually have their documentation on https://docs.splunk.com/

Third-party addons - well, here you're on your own and on mercy of the addon creator.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Why are you looking for that TA?  What problem are you trying to solve?  What documentation said to install the UF TA?

If you are a Splunk Cloud customer, the UF TA is available from your Splunk Cloud search head.  Open the "Universal Forwarder" app then click the green Download button.  If you are not a Splunk Cloud customer then you probably don't need the TA, depending on the answers to the above questions.

---
If this reply helps you, Karma would be appreciated.
0 Karma

Mohamad_Alaa
Path Finder

i am using splunk fully on prem - no cloud option

as per documentation TA to be installed on UF, you can refer to below link

https://community.splunk.com/t5/Security/Universal-Forwarder-Technology-Add-On/m-p/669359#M17403

As i understood, TA to be installed on Indexers (already done) and on UF

 

Thanks

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The link provided is to this question, not to any documentation.

If the TA is already installed on the indexers then you have what you need.  Just install the same TA on the forwarders.

---
If this reply helps you, Karma would be appreciated.
0 Karma

Mohamad_Alaa
Path Finder

https://docs.splunk.com/Documentation/AddOns/released/Overview/Distributedinstall

 

here is the correct link

no one mentioned that it is the same TA for both, did you tried this before?
As per documentation it should be downloaded directly from splunkbase, but can't find it. The only thing i found is "Splunk-add-on-for-windows" but not sure if that's it or not

thanks

0 Karma

richgalloway
SplunkTrust
SplunkTrust

There's a lot of Splunk documentation so I understand why you don't have all the information yet.  See https://docs.splunk.com/Documentation/AddOns/released/Overview/Wheretoinstall for tips on where to install TAs.  The instructions that come with the TA are the best guide, however.

Splunkbase apps should be obtained directly from Splunkbase rather than via 3rd-party sources that may not be reputable.  However, once you've downloaded the TA it does not need to be downloaded again until a new version is available.  The one downloaded copy may be installed as many times as you wish.

---
If this reply helps you, Karma would be appreciated.
0 Karma

PickleRick
SplunkTrust
SplunkTrust

It's a general method of installing addons. You need addons for your particular sources.

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...