Splunk Enterprise Security

HPE Aruba ClearPass App for Splunk Enterprise: How to configure the app for my Splunk instance?

Communicator

I have a Splunk instance with a Search Head (SH) and two load balanced Indexers. There are two Heavy Forwarders (HF) dedicated to forwarding syslog data to the indexers.
The installation instructions do not accommodate from that perspective. the installation instructions as I read them take it from a perspective of an all in one instance of Splunk meaning SH and Indexer are on the same server. At the moment I have installed it on my SH. Will see what the impact is and will install it on the 2 HFs if needed.

0 Karma
1 Solution

Communicator

I have Splunk for ClearPass installed on the SH only.
Then Aruba Clearpass was configured by another tech to stream data to a VIP which is load balanced to multiple HFs.

The details for the HF configuration follows:
inputs.conf:

Syslog listeners for generic syslog that cannot use specific port

i.e. Aruba, etc

see props.conf and transforms.conf which redirects to specific index based on host

[udp://10127]
index = syslog
sourcetype = syslog
connection_host = dns
disabled = 0
_rcvbuf = 16777216
queueSize = 16MB
persistentQueueSize = 128MB

[tcp://10127]
index = syslog
sourcetype = syslog
connection_host = dns
disabled = 0


props.conf:
[syslog]
SHOULDLINEMERGE = False
TRANSFORMS-set-syslog-index = set
syslogindexaruba
TRANSFORMS-set-syslog-sourcetype = setsyslogsourcetype_aruba


transforms.conf:

Set indexes for data incoming to tcp or udp:10127

[setsyslogindexaruba]
SOURCE
KEY = MetaData:Host
REGEX = aruba
DEST_KEY = _MetaData:Index
FORMAT = aruba

[setsyslogsourcetypearuba]
SOURCE
KEY = MetaData:Host
REGEX = aruba
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::aruba

View solution in original post

0 Karma

Communicator

I have Splunk for ClearPass installed on the SH only.
Then Aruba Clearpass was configured by another tech to stream data to a VIP which is load balanced to multiple HFs.

The details for the HF configuration follows:
inputs.conf:

Syslog listeners for generic syslog that cannot use specific port

i.e. Aruba, etc

see props.conf and transforms.conf which redirects to specific index based on host

[udp://10127]
index = syslog
sourcetype = syslog
connection_host = dns
disabled = 0
_rcvbuf = 16777216
queueSize = 16MB
persistentQueueSize = 128MB

[tcp://10127]
index = syslog
sourcetype = syslog
connection_host = dns
disabled = 0


props.conf:
[syslog]
SHOULDLINEMERGE = False
TRANSFORMS-set-syslog-index = set
syslogindexaruba
TRANSFORMS-set-syslog-sourcetype = setsyslogsourcetype_aruba


transforms.conf:

Set indexes for data incoming to tcp or udp:10127

[setsyslogindexaruba]
SOURCE
KEY = MetaData:Host
REGEX = aruba
DEST_KEY = _MetaData:Index
FORMAT = aruba

[setsyslogsourcetypearuba]
SOURCE
KEY = MetaData:Host
REGEX = aruba
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::aruba

View solution in original post

0 Karma

Contributor

Thank you for sharing the great detail info.

0 Karma

Communicator

Glad to help as others have helped me. To be clear the values listed aren't the same ones I used. But the syntax is consistent with what I used.

0 Karma

Contributor

Any updates on this will be very helpful. I have a distributed system as well. Do we need to install the app on both HF and SH and do the same configuration on both instances? Thanks.

0 Karma

Builder

I've just installed this on a Distributed env - you will also need to install the app on the HF's

0 Karma