Splunk Enterprise Security

HPE Aruba ClearPass App for Splunk Enterprise: How to configure the app for my Splunk instance?

MikeBertelsen
Communicator

I have a Splunk instance with a Search Head (SH) and two load balanced Indexers. There are two Heavy Forwarders (HF) dedicated to forwarding syslog data to the indexers.
The installation instructions do not accommodate from that perspective. the installation instructions as I read them take it from a perspective of an all in one instance of Splunk meaning SH and Indexer are on the same server. At the moment I have installed it on my SH. Will see what the impact is and will install it on the 2 HFs if needed.

0 Karma
1 Solution

MikeBertelsen
Communicator

I have Splunk for ClearPass installed on the SH only.
Then Aruba Clearpass was configured by another tech to stream data to a VIP which is load balanced to multiple HFs.

The details for the HF configuration follows:
inputs.conf:

Syslog listeners for generic syslog that cannot use specific port

i.e. Aruba, etc

see props.conf and transforms.conf which redirects to specific index based on host

[udp://10127]
index = syslog
sourcetype = syslog
connection_host = dns
disabled = 0
_rcvbuf = 16777216
queueSize = 16MB
persistentQueueSize = 128MB

[tcp://10127]
index = syslog
sourcetype = syslog
connection_host = dns
disabled = 0


props.conf:
[syslog]
SHOULD_LINEMERGE = False
TRANSFORMS-set-syslog-index = set_syslog_index_aruba
TRANSFORMS-set-syslog-sourcetype = set_syslog_sourcetype_aruba


transforms.conf:

Set indexes for data incoming to tcp or udp:10127

[set_syslog_index_aruba]
SOURCE_KEY = MetaData:Host
REGEX = aruba
DEST_KEY = _MetaData:Index
FORMAT = aruba

[set_syslog_sourcetype_aruba]
SOURCE_KEY = MetaData:Host
REGEX = aruba
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::aruba

View solution in original post

0 Karma

MikeBertelsen
Communicator

I have Splunk for ClearPass installed on the SH only.
Then Aruba Clearpass was configured by another tech to stream data to a VIP which is load balanced to multiple HFs.

The details for the HF configuration follows:
inputs.conf:

Syslog listeners for generic syslog that cannot use specific port

i.e. Aruba, etc

see props.conf and transforms.conf which redirects to specific index based on host

[udp://10127]
index = syslog
sourcetype = syslog
connection_host = dns
disabled = 0
_rcvbuf = 16777216
queueSize = 16MB
persistentQueueSize = 128MB

[tcp://10127]
index = syslog
sourcetype = syslog
connection_host = dns
disabled = 0


props.conf:
[syslog]
SHOULD_LINEMERGE = False
TRANSFORMS-set-syslog-index = set_syslog_index_aruba
TRANSFORMS-set-syslog-sourcetype = set_syslog_sourcetype_aruba


transforms.conf:

Set indexes for data incoming to tcp or udp:10127

[set_syslog_index_aruba]
SOURCE_KEY = MetaData:Host
REGEX = aruba
DEST_KEY = _MetaData:Index
FORMAT = aruba

[set_syslog_sourcetype_aruba]
SOURCE_KEY = MetaData:Host
REGEX = aruba
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::aruba

0 Karma

vnguyen46
Contributor

Thank you for sharing the great detail info.

0 Karma

MikeBertelsen
Communicator

Glad to help as others have helped me. To be clear the values listed aren't the same ones I used. But the syntax is consistent with what I used.

0 Karma

vnguyen46
Contributor

Any updates on this will be very helpful. I have a distributed system as well. Do we need to install the app on both HF and SH and do the same configuration on both instances? Thanks.

0 Karma

Esky73
Builder

I've just installed this on a Distributed env - you will also need to install the app on the HF's

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...