- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- How to install the Security Query based App for RS...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to install the Security Query based App for RSA Security Analytics in a distributed search environment, and how to poll my queries with separate brokers and concentrators?
Hello;
I am excited to try this newly released app, and have a few questions:
My setup has several brokers and concentrators, none combined; each broker and concentrator a separate server. Any recommendations for best way to deploy/poll my queries?
My Splunk setup is a distributed. Should this app be installed on my indexers only?
Thank you,
-mi
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Not sure why you would have brokers if all your concentrators are separate but that aside I understand your question.
For 1) - What you need to do is create multiple configuration files and create an inputs.conf in /local/ to reference them as in the example below:
[script://./bin/nwsdk_query.py nwsdk_query_concentratorA]
interval = 60
sourcetype = netwitness
passAuth = splunk-system-user
[script://./bin/nwsdk_query.py nwsdk_query_concentratorB]
interval = 60
sourcetype = netwitness
passAuth = splunk-system-user
[script://./bin/nwsdk_query.py nwsdk_query_brokerC]
interval = 60
sourcetype = netwitness
passAuth = splunk-system-user
Each of the nwsdk_query_*.conf files would then have a different URL for access and possibly a different query too. They would also need a separate tracking file so really you don't want any overlap in the configuration other than the username/password combination used for access.
For question 2) - You only need to install the app on your indexers for now. All Dashboards are still only in the original app ( https://splunkbase.splunk.com/app/770/ ).
Hope this helps!
Regards,
Rui
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you Rui!
With regards to the separate broker and concentrator, we are running our infra on VM's, and they came separate. Also, we are looking at how we will decrypt SSL traffic, thus far our plans require separate broker to decoder.
I'll keep you posted on my install as I make progress, which won't be for a few weeks at best.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sounds good, do keep me posted and reach out if you have any issues.
On the broker/concentrator topic, I think you mean decoder not broker based on SSL decryption, if that's the case I wouldn't try to connect to it with this app, it's really only meant for concentrators or brokers, regardless, probably not a discussion for this forum, my e-mail is on the app so please reach out directly if you have any questions or think we need to discuss this further.
Thank you,
Rui
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, two decoders, one to capture non-SSL, the other to receive from a decryption device; both the same concentrator.
Will send via PM.
Thank you,
-mi
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
Adoption of RUM and APM at Splunk
