Splunk Enterprise

How to forward Active Directory events with certain AD fields in CEF format out of Splunk?

Engager

I am new to Splunk. Need to set up a lab environment where Splunk forwards out events in CEF format. I figured how to send events into Splunk (I think), so my question is mostly about forwarding the events out of Splunk. The data size does not matter (can be small). My questions:
1) Which product and license should I purchase? Can get by with just the free version?
2) How to set up forwarding events in CEF format? Specifically AD events into CEF with certain AD fields.
3) I was given a CEF app configuration, which is supposed to be related to 2) above, but I need help in how to import this config and where.

Unfortunately, I cannot attach it here since I need some karma points for attaching files 😞 . Basically this config includes: app.conf, inputs.conf, limits.conf, outputs.conf, savedsearches.conf.

Thank you!

0 Karma
1 Solution

Splunk Employee
Splunk Employee

The Splunk App for CEF documentation might be able to point you in the right direction, if you are using that app. See http://docs.splunk.com/Documentation/CEFapp . However, note that Splunk Light allows you to use add-ons, but not apps.

You can compare Splunk Light Free vs. Splunk Light (paid) license options and limitations in the Splunk Light documentation. See http://docs.splunk.com/Documentation/SplunkLight/6.3.0/GettingStarted/AboutSplunkLight . If you're interested in using the Splunk App for CEF, you can also evaluate whether Splunk Free or Splunk Enterprise will suit your needs. See http://www.splunk.com/en_us/products/splunk-enterprise/free-vs-enterprise.html.

View solution in original post

Splunk Employee
Splunk Employee

The Splunk App for CEF documentation might be able to point you in the right direction, if you are using that app. See http://docs.splunk.com/Documentation/CEFapp . However, note that Splunk Light allows you to use add-ons, but not apps.

You can compare Splunk Light Free vs. Splunk Light (paid) license options and limitations in the Splunk Light documentation. See http://docs.splunk.com/Documentation/SplunkLight/6.3.0/GettingStarted/AboutSplunkLight . If you're interested in using the Splunk App for CEF, you can also evaluate whether Splunk Free or Splunk Enterprise will suit your needs. See http://www.splunk.com/en_us/products/splunk-enterprise/free-vs-enterprise.html.

View solution in original post

Splunk Employee
Splunk Employee

In the CEF app, click "New CEF output" to walk through the process of selecting data, mapping fields, defining outputs, and saving your search. See Use the Splunk App for CEF in the docs for more information.

0 Karma

Engager

Thank you. I created the new Data-Model and it is displayed in the list of data-models (with the splunk_app_cef).
Next I follow the document "Use the Splunk App for CEF" and clicked "New CEF Output", which brings me to the screen: "1. Select Data". The screen has the Data Model dropdown, however it lists none, even though I created and saved it in the previous step.

So I am stuck at step 1. Select Data.

Can you please help?

0 Karma

Splunk Employee
Splunk Employee

When you create a data model, you specify that App that it applies to. Is it possible that you did not choose the Splunk App for CEF in the App selector of the New Data Model window?

Engager

I figured out this particular issue: I needed to change the permission for the model from default to 'everyone' (it is displayed as 'Global' now). After that I can see my model in the drop-down when I am configuring the App For CEF. 🙂

Moving on...

0 Karma

Engager

Thank you. I installed the Splunk Enterprise and the Splunk App for CEF successfully. I also uploaded sample AD data and it displays when I search it, however it is not in CEF format.

My question is: how do I make it display and forward out of Splunk in CEF format?

This doc http://docs.splunk.com/Documentation/CEFapp says:

"Using data models that you have either created yourself or those included with the Common Information Model (CIM), you describe the data to prepare it for output in CEF. Use the guided search wizard included in the Splunk App for CEF to define what the output will look like in CEF by selecting a data model, automatically or manually mapping data model attributes to fields where necessary, creating any new static fields you need, and defining the name of the syslog receiver that will receive the data."

I could not find the "guided search wizard" unfortunately. Do you have a video tutorial?

Thank you!

0 Karma

Splunk Employee
Splunk Employee

I have not used the CEF app myself and I don't believe we have a video tutorial for it. I will try to find a resource who knows more about that app and can help out.

0 Karma