Splunk

Splunk is a log aggregator that allows you to pull in logs from across your network environment for querying and reporting. By connecting Splunk and InsightIDR, you can monitor the logs you have sent to Splunk in InsightIDR.

There are two ways send Splunk data to InsightIDR:

You can send data using either TCP or UDP, depending on how you want to configure the log forwarding.

Before You Begin

This procedure is intended for Splunk version 7.2.0.

When configuring Splunk to send data, you can only send a single stream of data per port on the Collector. Therefore, you need to configure a new port for each respective data type you send.

If you attempt to send all of your Splunk data to InsightIDR over one port, it will not parse out the data into different event sources. Each data type should have its own port.

If the correct ports are not open, your TCP processer can become overloaded and crash, which can crash your Splunk indexer and Exchange Data.

Use the Splunk Add-On

If you want to use the Splunk add-on, you must configure it to forward logs to InsightIDR.

Follow the instructions provided by Splunk to configure this application add-on from the Details tab: https://splunkbase.splunk.com/app/3640/#/details

Edit Splunk Conf Files

If you want to send firewall logs from one application, and IDS logs from another application, a Splunk admin must write a stanza for each of these applications and specify that each log stream goes to an individual port. For organizations that want to send multiple application logs to InsightIDR, this method can become arduous.

If you are a Splunk admin, you can configure Splunk to send data using TCP. Using syslog may cause Splunk to fail during data collection, but if you need to use syslog, follow these instructions: https://docs.splunk.com/Documentation/Splunk/7.2.4/Forwarding/Forwarddatatothird-partysystemsd#Syslog_data

For additional information on using the Splunk btool to complete this configuration, see this Splunk forum post: https://answers.splunk.com/answers/729325/has-anyone-been-able-to-integrate-splunk-with-insi.html?childToView=729951#answer-729951

When configuring the .conf files, you need to include the following code blocks:

Splunk standard practice indicates all configuration should be completed in app local directory. However, any Syslog configuration should be completed in System local directory.

App.conf

1
[install]
2
is_configured = 1

idrsetup.conf

1
[setupentity]
2
hostnames = <IP>

Do not include a port with the IP address.

Indexes.conf

Delete the contents of this file upon installation.

Outputs.conf

1
[tcpout:rapidreader]
2
server = IP:PORT
3
sendCookedData = false
4
5
[tcpout]
6
defaultGroup = rapidreader
7
indexAndForward = true
8
forwardedindex.0.blacklist = ^((?!alerts|cyberark).)*$
9

In the last line of the code block, ^((?!alerts|cyberark).)*$ represents regex to blacklist anything except for logs containing “alerts” or “cyberark.” You can use regex or build an expression to blacklist certain words as necessary.

Props.conf

1
[index::cyberark]
2
TRANSFORMS-cyberark = rapid
3
[host::MYHOST]
4
TRANSFORMS-myhost = rapid

The above code block contains two items forwarded to InsightIDR by both index and the host.

Transforms.conf

1
[rapid]
2
REGEX = .
3
DEST_KEY = _TCP_ROUTING
4
FORMAT = rapidreader

If you are using syslog, use the following:

1
[rapid]
2
REGEX = .
3
DEST_KEY = _SYSLOG_ROUTING
4
FORMAT = rapidreader

Configure Splunk in InsightIDR

After you successfully configure Splunk, you must configure InsightIDR to forward data to your setup files by configuring Splunk as a Data exporter and then using Splunk as a Log Aggregator [collection method] during other event source configuration.

  1. From your dashboard, select Data Collection on the left hand menu.
  2. When the Data Collection page appears, click the Setup Event Source dropdown and choose Add Event Source.
  3. From the “Security Data” section, click the Data Exporter icon. The “Add Event Source” panel appears.
  4. Choose your collector and event source. You can also name your event source if you want.
  5. In the “Hostname” field, enter the FQDN or the IP address of the machine that hosts your Splunk configuration.
  6. In the “Port” field, enter the TCP port that Splunk will use to accept logs from InsightIDR.
  7. For “Data Export Types,” check on what kinds of data you want to receive from the InsightIDR logs.
  8. Click the Save button.
  1. During configuration of a different event source, choose Log Aggregator as your collection method after you complete the earlier configuration fields.
  2. Enter the port from Splunk that you configured to accept logs.
  3. In the “Protocol” dropdown, select the TCP option. Check on the Encrypted box to encrypt log data.
  4. Click the Save button.

Splunk can now accept logs from InsightIDR.