The Splunk SIEM Provider

The Splunk SIEM Provider manages the relationship between a Splunk Universal Forwarder and the remote Splunk server.

Features

The integration supports these features from the CloudBolt UI:

  • Installation of the Splunk Universal Forwarder
  • Configuration of essential settings for the local Splunk Forwarder

Assumptions

CloudBolt’s Splunk support makes a few assumptions about your Splunk environment. If your environment deviates from these assumptions, Splunk support may not work correctly. These assumptions are:

  • SplunkForwarder should not be installed on your CloudBolt server when you go to create a Splunk SIEM provider.
  • A Splunk Universal Forwarder (≥ v7.0) tarball should be present on your CloudBolt server in /var/ or one of its non-/tmp/ subdirectories, and should be owned by the apache user: chown apache /var/.../splunkforwarder-*.tgz
  • The remote Splunk server (receiver) has at least one receiving port enabled. For more information, you can reference these instructions in the Splunk documentation.

Using Splunk with CloudBolt

This section describes how to create a Splunk SIEM provider that can be used to take advantage of CloudBolt–Splunk integration.

Creating a Splunk SIEM Provider in CloudBolt

  1. Navigate to the Security Information and Event Management (SIEM) Providers admin page in the CloudBolt web interface.
  2. Click the Add a SIEM provider button, then click Splunk Universal Forwarder in the resulting dialog.
  3. Fill out the form, then click the Create button to install and configure your Splunk instance and show its detail page.

Configuration Options and Limitations

Within CloudBolt, you can configure the following parameters on the local SplunkForwarder instance:

  1. Local authentication credentials
  2. Hostname : port for the remote indexing and deployment servers
  3. Which of CloudBolt’s logs you want forwarded to the remote Splunk indexer

Splunk (both Enterprise and Light) and the Splunk Universal Forwarder are highly configurable products, and only a subset of the configuration options are accessible from within CloudBolt. This set of options was specifically chosen to both simplify the installation process and support the common denominator CloudBolt–Splunk integration that users will need. If you need to support a complicated Splunk infrastructure, accessing other settings is possible via the Splunk CLI (lives at /var/opt/cloudbolt/splunkforwarder/bin/splunk), or via Splunk’s .conf files.

Finally, because CloudBolt is configured for UTC timezone out of the box, it automatically configures the SplunkForwarder to use UTC upon installation. This setting can be changed in /var/opt/cloudbolt/splunkforwarder/etc/system/local/props.conf.

Deleting a Splunk SIEM Provider in CloudBolt

If you click the Delete provider on a Splunk provider’s detail page, the installed SplunkForwarder instance is not deleted, only its relationship with CloudBolt is disassociated. To fully remove the SplunkForwarder, you can run the following command:

/var/opt/cloudbolt/splunkforwarder/bin/splunk stop
rm -rf /var/opt/cloudbolt/splunkforwarder

Using Splunk with High Availability (HA) Configurations

This section describes how to configure a Splunk SIEM provider with your High Availability (HA) CloudBolt configuration.

The following information only applies if your HA setup includes multiple web servers.

Creating a Splunk SIEM Provider in HA

Note: Admins will need to access each web server directly (e.g. not through your load balancer) to implement the steps discussed below.

The process for creating a Splunk SIEM Provider in HA is, initially, very similar to the standard process. Assuming that you don’t have a Splunk SIEM Provider configured in CB yet, you’ll need to log in to a single web server and install Splunk using the steps listed above. Once Splunk is installed and configured to your liking, CloudBolt allows you to create mirror installations on your other web servers. To do so, log in to your second web server, navigate to the Splunk SIEM Provider’s Detail page, and click the button “Install from database”. Once you point to the SplunkForwarder tarball on your second web server, an identical Splunk Forwarder will be installed on that server! This process can be repeated for every web server in your HA setup.

Configuration Limitations

Creating mirrored Splunk installations across your HA web servers should be treated as a one-time operation, and updating configuration across mirrored Splunk installations through the CloudBolt UI should be avoided, as this may cause issues with your Splunk providers. The best practice for an HA configuration is to have a single Splunk instance fully configured, treat it as frozen, and then mirror it to other web servers. If, however, you do need to change the configuration of your Splunk instances, the best way to do so after mirroring is to use the Splunk CLI on your server. Some useful commands are listed below:

/var/opt/cloudbolt/splunkforwarder/bin/splunk add forward-server {{hostname}}:{{port}} -auth admin:{{password}}
/var/opt/cloudbolt/splunkforwarder/bin/splunk remove forward-server {{hostname}}:{{port}} -auth admin:{{password}}
/var/opt/cloudbolt/splunkforwarder/bin/splunk set deploy-poll {{hostname}}:{{port}} -auth admin:{{password}}
/var/opt/cloudbolt/splunkforwarder/bin/splunk add monitor /path/to/file.log -auth admin:{{password}}
/var/opt/cloudbolt/splunkforwarder/bin/splunk remove monitor /path/to/file.log -auth admin:{{password}}

Deleting a Splunk SIEM Provider in HA

Deleting a Splunk SIEM Provider is identical to the steps listed above. You’ll need to delete the Splunk instance through one of your web servers (which deletes the database instance), and then run the two bash commands to stop the service and delete the Splunk folder on all of your web servers manually.