Applicable for ENA v17.0 P07 upwards.
To set up the Entuity app with Splunk, and to view the Event Dashboard in Splunk
To forward incidents to Splunk
To setup the Splunk configuration file
To set up the Entuity app with Splunk, and to view the Event Dashboard in Splunk:
- On the Splunk Enterprise page, click Install app from file in the top right of the window. This will open the Upload app page. Browse and select the Entuity app file and click Upload.
- Once the Entuity app has been uploaded, click the Apps dropdown field at the top of the page, and select Entuity App. This will open the Entuity app.
- Click the Dashboards tab at the top of the window to open the Dashboards page. Click Event Dashboard to open the dashboard, which will be empty until you have configured Entuity to forward events to Splunk (see below).
To forward events to Splunk:
You can forward events to Splunk (via the HttpEventCollector in Splunk) by setting up an event rule. This will also be used by the Events Dashboard in Splunk.
- Follow the instructions provided by the Splunk documentation to generate an HttpEventCollector in Splunk. Ensure the sourceType is 'Entuity_Events'. Also, ensure that, in Global Settings, the token is set to Enabled.
- In Entuity, click Main Menu and then Administration.
- On the Administration page, click Event Administration.
- On the Event Administration page, click the Rules tab.
- Select Post Storage in the tree on the left, and then click Add Rule at the bottom of the window.
- This will open the Add Rule window. Ensure the Type field is set to 'Generic', and that the enabled box is ticked.
- Complete the Name and Description fields as appropriate.
- Leave the Condition field as 'None'.
- In the Action Steps section, click Add.
- This will open the Add Action window. In the Type dropdown field, select 'Send to Splunk', which will update the window. In the Parameters field below, select the 'cname' parameter and click Set. This will open the Parameter Value window. Click OK.
- Select the 'token' parameter and click Set. This will open the Parameter Value window. Set the Value field to the Splunk HttpEventCollector token, and click OK.
- Click OK to save and close the Action Step.
- Click OK to save and add the rule.
- Save the event project by clicking the Save icon in the top right of the browser.
To forward incidents to Splunk:
You can forward incidents to Splunk (via the HttpEventCollector in Splunk) by setting up an event trigger. You can configure a global trigger so that all incidents will be forwarded to a server, or individual triggers so that only individual incidents will be forwarded.
- Follow the instructions provided by the Splunk documentation to generate an HttpEventCollector in Splunk.
- Click Main Menu and then Administration.
- On the Administration page, click Event Administration.
- On the Event Administration page, click the Incidents tab.
- Click Edit Global Triggers at the bottom of the window.
- This will open the Edit Global Triggers window. Click Add.
- This will open the Create Trigger window. Complete the Name and Description fields as appropriate.
- Ensure that the On Transition To dropdown field is set to 'Any Change' so that all incidents raised against the same source are sent to Slack.
- In the Condition dropdown field, select 'All tests must succeed'. This will update the window. In the Tests section that appears below, click Add.
- This will open the Add Test window. In the Type dropdown field, select 'Incident Severity Test'. In the Expression dropdown field, specify the severity level you wish to forward. Click OK.
- In the Action Steps section, click Add.
- This will open the Add Action window. In the Type dropdown field, select 'Send to Splunk', which will update the window. In the Parameters field below, select the 'cname' parameter and click Set. This will open the Parameter Value window. Click OK.
- Select the 'token' parameter and click Set. This will open the Parameter Value window. Set the Value field to the Splunk HttpEventCollector token, and click OK.
- Click OK to save and close the Action Step.
- Click OK to save and add the trigger.
- Save the event project by clicking the Save icon in the top right of the browser.
If you want to differentiate between when an incident is opened, closed and expired, you can set up multiple forwarding actions with different On Transition To field values (step 8 above). Ensure each Http Event Collector has a different sourceType, so they can be differentiated on Splunk.
To setup the Splunk configuration file:
The Splunk-example.cfg file located in the ../installarea/etc/Splunk-example.cfg. Using this example, create a Splunk.cfg file in the same area i.e ../installarea/etc/Splunk.cfg
[In the exmaple file, trust=1. BUt if you are using Splunk cloud version, trust=0. This will turn off checking of the certificates.]
Comments
0 comments
Please sign in to leave a comment.