Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

HPE Aruba ClearPass App for Splunk Enterprise: How to configure the app for my Splunk instance?

MikeBertelsen
Communicator
‎03-21-2017 01:06 PM

I have a Splunk instance with a Search Head (SH) and two load balanced Indexers. There are two Heavy Forwarders (HF) dedicated to forwarding syslog data to the indexers.
The installation instructions do not accommodate from that perspective. the installation instructions as I read them take it from a perspective of an all in one instance of Splunk meaning SH and Indexer are on the same server. At the moment I have installed it on my SH. Will see what the impact is and will install it on the 2 HFs if needed.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MikeBertelsen
Communicator
‎01-31-2019 11:48 AM

I have Splunk for ClearPass installed on the SH only.
Then Aruba Clearpass was configured by another tech to stream data to a VIP which is load balanced to multiple HFs.

The details for the HF configuration follows:
inputs.conf:

Syslog listeners for generic syslog that cannot use specific port

i.e. Aruba, etc

see props.conf and transforms.conf which redirects to specific index based on host

[udp://10127]
index = syslog
sourcetype = syslog
connection_host = dns
disabled = 0
_rcvbuf = 16777216
queueSize = 16MB
persistentQueueSize = 128MB

[tcp://10127]
index = syslog
sourcetype = syslog
connection_host = dns
disabled = 0

props.conf:
[syslog]
SHOULD_LINEMERGE = False
TRANSFORMS-set-syslog-index = set_syslog_index_aruba
TRANSFORMS-set-syslog-sourcetype = set_syslog_sourcetype_aruba

transforms.conf:

Set indexes for data incoming to tcp or udp:10127

[set_syslog_index_aruba]
SOURCE_KEY = MetaData:Host
REGEX = aruba
DEST_KEY = _MetaData:Index
FORMAT = aruba

[set_syslog_sourcetype_aruba]
SOURCE_KEY = MetaData:Host
REGEX = aruba
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::aruba

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

MikeBertelsen
Communicator
‎01-31-2019 11:48 AM

I have Splunk for ClearPass installed on the SH only.
Then Aruba Clearpass was configured by another tech to stream data to a VIP which is load balanced to multiple HFs.

The details for the HF configuration follows:
inputs.conf:

Syslog listeners for generic syslog that cannot use specific port

i.e. Aruba, etc

see props.conf and transforms.conf which redirects to specific index based on host

[udp://10127]
index = syslog
sourcetype = syslog
connection_host = dns
disabled = 0
_rcvbuf = 16777216
queueSize = 16MB
persistentQueueSize = 128MB

[tcp://10127]
index = syslog
sourcetype = syslog
connection_host = dns
disabled = 0

props.conf:
[syslog]
SHOULD_LINEMERGE = False
TRANSFORMS-set-syslog-index = set_syslog_index_aruba
TRANSFORMS-set-syslog-sourcetype = set_syslog_sourcetype_aruba

transforms.conf:

Set indexes for data incoming to tcp or udp:10127

[set_syslog_index_aruba]
SOURCE_KEY = MetaData:Host
REGEX = aruba
DEST_KEY = _MetaData:Index
FORMAT = aruba

[set_syslog_sourcetype_aruba]
SOURCE_KEY = MetaData:Host
REGEX = aruba
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::aruba

0 Karma
Reply
Solved! Jump to solution

vnguyen46
Contributor
‎02-04-2019 06:31 AM

Thank you for sharing the great detail info.

0 Karma
Reply
Solved! Jump to solution

MikeBertelsen
Communicator
‎02-04-2019 11:05 AM

Glad to help as others have helped me. To be clear the values listed aren't the same ones I used. But the syntax is consistent with what I used.

0 Karma
Reply
Solved! Jump to solution

vnguyen46
Contributor
‎01-30-2019 08:39 AM

Any updates on this will be very helpful. I have a distributed system as well. Do we need to install the app on both HF and SH and do the same configuration on both instances? Thanks.

0 Karma
Reply
Solved! Jump to solution

Esky73
Builder
‎04-05-2017 06:26 PM

I've just installed this on a Distributed env - you will also need to install the app on the HF's

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...