Logging With Splunk (SIEM)

  • Updated

Prerequisites and Notice

An existing understanding of Splunk is required in order to proceed with the following steps. Splunk provides extensive training and certifications for deploying and managing Splunk.

Riva does not provide technical support, training, or any customization services for Splunk.

If assistance is required with Splunk, contact Splunk Professional Services or Splunk Technical Support.

Splunk via Universal Forwarder (UF)

Applies to Riva On-Premise, all versions.

The Splunk Universal Forwarder supports monitoring of the file system for log files. The Riva log files can be collected by the UF.

For details on the file system logging and the file name format, see How to manage Riva server logging.

In Riva 2.4.54 or higher, the sync policy can be configured to prevent Personally Identifiable Information (PII) from appearing in Splunk logs.
 

Splunk via HTTP Event Collector (HEC)

Applies to Riva On-Premise 2.4.45 or higher.

Support for Splunk Enterprise and Splunk Cloud.

In Riva 2.4.54 or higher, the sync policy can be configured to prevent Personally Identifiable Information (PII) from appearing in Splunk logs.
 

Prerequisites, Notice, and Procedures

  1. Create the collector's information.
  2. Configure the Splunk Appender.

Create Indexes in Splunk for activities and diagnostics as provided in the screenshots below.

rc-activities.png

rc-diagnostics.png

Step 1: Create the Collector's Information

  1. In Splunk, select Data Inputs.

    Admin-Go-to-Data-inputs.png

  2. Select the Http Event Collector handler.

    Admin--select-HTTP-Event-Collector.png

    A list displays all of this instance's collectors. The red flag indicates that tokens are currently disabled anyway.

  3. Select Global Options.

    Admin--select-Global-Options.png

  4. In the Edit Global Settings window, do as follows:

    1. Enable All Tokens.
    2. If you want your communications to use HTTPS, select the Enable SSL check box.
      • Best Practice: HTTPS is always recommended.
    3. Enter the HTTP Port Number that will be used for communications. (Default: 8088.)
       

    Edit-Global-Settings.png

  5. In the HTTP Event Collector window, in the top right corner, select New Token to configure the collector to use.

    Admin--select-New-Token.png

  6. In the Add Data window, in the Name field, enter the collector's name. Optionally enter the Source name. At the top of the window, select Next.

    Admin--Add-data-window.png

  7. Select the indexes that need to be covered by this collector. At the top of the window, select Review.

    Admin--select-Review.png

  8. Review the Collector's info, and select Submit to create the collector.

    Admin--Add-Data--Review-before-submitting.png

    The token value is displayed.

    Admin--Token-has-been-created-successfully.png

    The collector's information is listed in the HTTP Event Collector view.

    Listed.png

Step 2: Configure the Splunk Appender

In the App config, do as follows:

  1. Describe the OmniSplunkAppender and CrmSlpunkAppender in <Configuration>/<configSections>:

    <configSections>
        <sectionGroup name="splunkAppender">
            <section name="omniSplunkAppender" type="Omni.Logging.Configuration.SplunkAppenderConfigSection, Omni.Logging, Culture=neutral"/>
            <section name="crmSplunkAppender" type="Omni.Logging.Configuration.SplunkAppenderConfigSection, Omni.Logging, Culture=neutral"/>
        </sectionGroup>
    </configSections>

     

  2. In <Configuration>/<configSections>, specify the connectionStrings to be used by each appender.

    <splunkAppender>
        <omniSplunkAppender isEnabled="true" connectionStringName="connection_splunk_diagnostics" />
        <crmSplunkAppender  isEnabled="true" connectionStringName="connection_splunk_activities" />
    </splunkAppender>

     

  3. Create a connection string for the Activity and Diagnostic indexes that were created:

    <add name="connection_splunk_diagnostics" connectionString="Data Source=https://localhost:8088/services/collector/event;Compact=true;UseSmart=false;Token=GET FROM SPLUNK STEP 8;Index=rc-diagnosticsindex;SourceName=default" providerName="Splunk" />

    Example:

    <add name="connection_splunk_activities" connectionString="Data Source=https://localhost:8088/services/collector/event;Compact=true;UseSmart=false;Token=GET FROM SPLUNK STEP 8;Index=rc-activitiesindex;SourceName=default" providerName="Splunk" />

    • Name: The name of the connectionString used in step 2.
    • connectionString: Describe all the collector's info needed to communicate.
      • Data Source: [Protocol]://[Host]:[Port]/Services/Collector/event
        • Protocol: HTTP / HTTPS, depending on the global options of the instance that were specified at step 4 in Administration.
          • Best Practice: HTTPS is always recommended.
        • Host: The host of the Splunk instance. Examples: localhost, 10.10.10.10.
        • Port: The port used by the Splunk services, as specified in step 4 in Administration.
      • Compact: When set to true, removes unnecessary information.
      • UseSmart: When set to true, replace some of the long event lines with shorter ones.
      • Token: The collector's token is displayed after step 8 in Administration.
      • Index: The Splunk index that this appender will use.
      • SourceName: The collector's source, as specified in step 4 in Administration. In case it was not specified, use the default.
    • providerName: Splunk.
       

    Note: The parameters can be placed in any order.

Was this article helpful?

/