Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Enterprise Security doesn’t recognize eventtypes from custom TA

asohahn_splunk
Splunk Employee
Splunk Employee
‎02-07-2016 12:49 AM

I’ve created a custom TA in order to make it work with Enterprise Security and packaged it with 'TA_foo' deploying it on my Splunk instance.

The eventtypes worked fine on Search & Report app, showing every field mapped with CIM attack and ids but when I change the App context to Enterprise Security it doesn’t seem to show up properly.

All permissions are set to global.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎02-07-2016 06:30 AM

You really should NOT edit local.meta to achieve importing differently-named TAs that don't match TA-.*. Instead, you should edit the appropriate regex in inputs.conf as documented here: http://docs.splunk.com/Documentation/ES/4.0.1/Install/InstallTechnologyAdd-ons#Import_add-ons_with_a...

View solution in original post

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎02-07-2016 06:30 AM

You really should NOT edit local.meta to achieve importing differently-named TAs that don't match TA-.*. Instead, you should edit the appropriate regex in inputs.conf as documented here: http://docs.splunk.com/Documentation/ES/4.0.1/Install/InstallTechnologyAdd-ons#Import_add-ons_with_a...

Reply
Solved! Jump to solution

asohahn_splunk
Splunk Employee
Splunk Employee
‎02-07-2016 12:56 AM

UPDATE
I'm changing my answer. DON'T DO THIS. As martin and esix pointed out, it's not a good idea to break the standard way of using ES.
Just try to understand why eventtype didn't show up in ES only, since Splunk doesn't tell you exactly why. I guess I should have more focused on explaining the reason.

  • If the eventtype configuration was added in search app then it would have worked because search app is included in the dependency path.
  • If the custom TA name followed the convention like "TA-foo" (instead of TA_foo) then it would have worked because ES will recognize it.

Anyway, always use CIM comparable add-ons and ask for PS if you need any customization.

l'll keep my previous answer below in case somebody might make similar mistakes.

It seems that Enterprise Security has a dependency on it’s apps and add-ons. If you go to $SPLUNK_HOME/etc/apps/SplunkEnterpriseSecuritySuite/metadata and open up default.meta file, you’ll see attribute named “import”. This attribute is not documented in default.meta.conf

But it is pretty obvious if you follow the import dependency through ES to DA to SA to TA that your custom add-on, which is a TA, should be added to some SA. For those who don’t now, DA stands for Domain Add-on, SA for Support Add-on and TA for Technology Add-on.

I’ve added my 'TA_foo' in Splunk_SA_CIM by modifying $SPLUNK_HOME/etc/apps/Splunk_SA_CIM/metadata/local.meta like below and how it works fine. (Just add ', TA_foo' at the end of import attribute)

[]
access = read : [ * ], write : [ admin ]
export = system
version = 6.3.1
modtime = 1449612718.015126000
import = DA-ESS-AccessProtection, DA-ESS-EndpointProtection, DA-ESS-IdentityManagement, DA-ESS-NetworkProtection, DA-ESS-ThreatIntelligence, SA-AccessProtection, SA-AuditAndDataProtection, SA-EndpointProtection, SA-IdentityManagement, SA-NetworkProtection, SA-ThreatIntelligence, SA-UEBA, SA-Utils, Splunk_DA-ESS_PCICompliance, Splunk_SA_CIM, Splunk_SA_ExtremeSearch, Splunk_TA_bluecoat-proxysg, Splunk_TA_bro, Splunk_TA_flowfix, Splunk_TA_juniper, Splunk_TA_mcafee, Splunk_TA_nessus, Splunk_TA_nix, Splunk_TA_oracle, Splunk_TA_ossec, Splunk_TA_paloalto, Splunk_TA_sophos, Splunk_TA_sourcefire, Splunk_TA_symantec-ep, Splunk_TA_ueba, Splunk_TA_windows, TA-airdefense, TA-alcatel, TA-cef, TA-fireeye, TA-fortinet, TA-ftp, TA-ncircle, TA-nmap, TA-rsa, TA-tippingpoint, TA-trendmicro, TA-websense, search, TA_foo

Restart Splunk or call https://splunk_host:8000/en_US/debug/refresh to make changes effective.

To check whether ES now recognizes your eventtypes, go to Settings > Event Types and search your eventtype with App context selected to Enterprise Security.

Reply
Solved! Jump to solution

esix_splunk
Splunk Employee
Splunk Employee
‎02-07-2016 06:58 AM

I downvoted this post because this is not supported or recommended. see other notes about app import properties for es.

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎02-07-2016 06:30 AM

I downvoted this post because differs from documented, probably breaks when the updater runs.

0 Karma
Reply
Get Updates on the Splunk Community!

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...

Stay Connected: Your Guide to February Tech Talks, Office Hours, and Webinars!

💌Keep the new year’s momentum going with our February lineup of Community Office Hours, Tech Talks, ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...