Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

HPE Aruba ClearPass App for Splunk Enterprise: How to configure the app for my Splunk instance?

MikeBertelsen
Communicator
‎03-21-2017 01:06 PM

I have a Splunk instance with a Search Head (SH) and two load balanced Indexers. There are two Heavy Forwarders (HF) dedicated to forwarding syslog data to the indexers.
The installation instructions do not accommodate from that perspective. the installation instructions as I read them take it from a perspective of an all in one instance of Splunk meaning SH and Indexer are on the same server. At the moment I have installed it on my SH. Will see what the impact is and will install it on the 2 HFs if needed.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MikeBertelsen
Communicator
‎01-31-2019 11:48 AM

I have Splunk for ClearPass installed on the SH only.
Then Aruba Clearpass was configured by another tech to stream data to a VIP which is load balanced to multiple HFs.

The details for the HF configuration follows:
inputs.conf:

Syslog listeners for generic syslog that cannot use specific port

i.e. Aruba, etc

see props.conf and transforms.conf which redirects to specific index based on host

[udp://10127]
index = syslog
sourcetype = syslog
connection_host = dns
disabled = 0
_rcvbuf = 16777216
queueSize = 16MB
persistentQueueSize = 128MB

[tcp://10127]
index = syslog
sourcetype = syslog
connection_host = dns
disabled = 0

props.conf:
[syslog]
SHOULD_LINEMERGE = False
TRANSFORMS-set-syslog-index = set_syslog_index_aruba
TRANSFORMS-set-syslog-sourcetype = set_syslog_sourcetype_aruba

transforms.conf:

Set indexes for data incoming to tcp or udp:10127

[set_syslog_index_aruba]
SOURCE_KEY = MetaData:Host
REGEX = aruba
DEST_KEY = _MetaData:Index
FORMAT = aruba

[set_syslog_sourcetype_aruba]
SOURCE_KEY = MetaData:Host
REGEX = aruba
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::aruba

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

MikeBertelsen
Communicator
‎01-31-2019 11:48 AM

I have Splunk for ClearPass installed on the SH only.
Then Aruba Clearpass was configured by another tech to stream data to a VIP which is load balanced to multiple HFs.

The details for the HF configuration follows:
inputs.conf:

Syslog listeners for generic syslog that cannot use specific port

i.e. Aruba, etc

see props.conf and transforms.conf which redirects to specific index based on host

[udp://10127]
index = syslog
sourcetype = syslog
connection_host = dns
disabled = 0
_rcvbuf = 16777216
queueSize = 16MB
persistentQueueSize = 128MB

[tcp://10127]
index = syslog
sourcetype = syslog
connection_host = dns
disabled = 0

props.conf:
[syslog]
SHOULD_LINEMERGE = False
TRANSFORMS-set-syslog-index = set_syslog_index_aruba
TRANSFORMS-set-syslog-sourcetype = set_syslog_sourcetype_aruba

transforms.conf:

Set indexes for data incoming to tcp or udp:10127

[set_syslog_index_aruba]
SOURCE_KEY = MetaData:Host
REGEX = aruba
DEST_KEY = _MetaData:Index
FORMAT = aruba

[set_syslog_sourcetype_aruba]
SOURCE_KEY = MetaData:Host
REGEX = aruba
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::aruba

0 Karma
Reply
Solved! Jump to solution

vnguyen46
Contributor
‎02-04-2019 06:31 AM

Thank you for sharing the great detail info.

0 Karma
Reply
Solved! Jump to solution

MikeBertelsen
Communicator
‎02-04-2019 11:05 AM

Glad to help as others have helped me. To be clear the values listed aren't the same ones I used. But the syntax is consistent with what I used.

0 Karma
Reply
Solved! Jump to solution

vnguyen46
Contributor
‎01-30-2019 08:39 AM

Any updates on this will be very helpful. I have a distributed system as well. Do we need to install the app on both HF and SH and do the same configuration on both instances? Thanks.

0 Karma
Reply
Solved! Jump to solution

Esky73
Builder
‎04-05-2017 06:26 PM

I've just installed this on a Distributed env - you will also need to install the app on the HF's

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...