Hello all, I'm hoping that someone with a bit of experience with integrating/installing Splunk apps and the common information model will be able to help me with a problem I'm having.
I need to monitor DNS activity, and store this data in my Splunk enterprise instance in a CIM-compliant format. I've got plenty of experience with driving Splunk, building analytics and reports, dashboards etc, but little in the way of the underlying engineering aspects, data pipeline, formatting etc (though I have built regex-based field extractions in the past). CIM compliance is a requirement in order to integrate another tool that's going to go on top of Splunk.
I'm working under some limitations in what I can do to get the data in. Therefore, I've had the DNS server configured to produce debug logging into a plaintext file, and I've deployed a Universal Forwarder to monitor this file. I've also got the Splunk add-on for DNS installed, as my understanding is this will give me the CIM-compliant field extractions and parsing of the log that I need.
I've got a single-instance Splunk Enterprise v8 server built, and I've been able to verify that the data is coming in (albeit with warnings about missing indexes, that I think will be resolved once I've configured the receiving a bit better). My understanding is that I also need to install the DNS add-on into the indexer, and this is where it gets murky.
I believe that the DNS add-on is superseded by the add-on for Microsoft Windows. I've opted to use the DNS add-on, however, as I saw references in other questions that the new add-on isn't actually CIM compliant. However, the DNS add-on isn't compatible with Splunk 8. Having had a look through the add-ons, I can see the same extractions and content the DNS add-on had in the Microsoft add-on, so I think I can put the Windows add-on onto the indexer, and still get all the DNS information/extractions I need from the DNS add-on installed on the forwarder. However, I can't see the WIndows add-on in the splunk apps store - it's just missing.
I'm aiming now to try a manual install, but this seems a fairly straightforward usecase, so I'm asking whether anyone has had experience doing this, and can guide me in the right direction. Is what I'm doing sensible? Will it do what I need it to? And, if I cann't get an add-on onto the indexer, can I not just copy the regex from the add-on config files and extract my own fields, with the appropriate CIM names?
Any insight, experience or suggestions would be greatly appreciated. Right now, I'm trying to hack this into working, and I'd be far happier if I knew I was at least heading in the sane direction.
... View more