By: Jon Walthour | Splunk Consultant

A customer presented me with the following problem recently. He needed to be able to exclude events older than a specified time from being indexed in Splunk. His requirement was more precise than excluding events older than so many days ago. He was also dealing with streaming data coming in through an HTTP Event Collector (HEC). So, his data was not file-based, where an “ignoreOlderThan” setting in an inputs.conf file on a forwarder would solve his problem.

As I thought about his problem, I agreed with him—using “ignoreOlderThan” was not an option. Besides, this would work only based on the modification timestamp of a monitored file, not on the events themselves within that file. The solution to his problem needed to be more granular, more precise.

We needed a way to exclude events from being indexed into Splunk through whatever means they were arriving at the parsing layer (from a universal forwarder, via syslog or HEC) based on a precise definition of a time. This meant that it had to be more exact than a certain number of days ago (as in, for example, the “MAX_DAYS_AGO” setting in props.conf).

To meet his regulatory requirements for retention, my customer needed to be able to exclude, for example, events older than January 1 at midnight and do so with certainty.

As I set about finding (or creating) a solution, I found “INGEST_EVAL,” a setting in transforms.conf. This setting was introduced in version 7.2. It runs an eval expression at index-time on the parsing (indexing) tier in a similar (though not identical) way as a search-time eval expression works. The biggest difference with this new eval statement is that it is run in the indexing pipeline and any new fields created by it become indexed fields rather than search-time fields. These fields are stored in the rawdata journal of the index.

However, what if I could do an “if-then” type of statement in an eval that would change the value of a current field? What if I could evaluate the timestamp of the event, determine if it’s older than a given epoch date and change the queue the event was in from the indexing queue (“indexQueue”) to oblivion (“nullQueue”)?

I found some examples of this in Splunk’s documentation, but none of them worked for this specific use case. I also found that “INGEST_EVAL” is rather limited in what functions it can work with the eval statement. Functions like “relative_time()” and “now()” don’t work. I also found that, at the point in the ingestion pipeline where Splunk runs these INGEST_EVAL statements, fields like “_indextime” aren’t yet defined. This left me with using an older “time()” function. So, when you’re working with this feature in the future, be sure to test your eval expression carefully as not all functions have been fully evaluated in the documentation yet.

Here’s what I came up with:

props.conf

[<sourcetype>]

TRANSFORMS-oldevents=delete-older-than-January-1-2020-midnight-GMT

transforms.conf

[delete-older-than-January-1-2020-midnight-GMT]

INGEST_EVAL = queue=if(substr(tostring(1577836800-_time),1,1)=”-“, “indexQueue”, “nullQueue”)

The key is in the evaluation of the first character of the subtraction in the “queue=” calculation. A negative number yields a “-” for the first character; a positive number a digit. Generally, negative numbers are “younger than” your criteria and positive numbers are “older than” it. You keep the younger events by sending them to the indexQueue (by setting “queue” equal to “indexQueue”) and you chuck older events by sending them to the nullQueue (by setting “queue” equal to “nullQueue”).

Needless to say, my customer was pleased with the solution we provided. It addressed his use case “precisely.” I hope it is helpful for you, too. Happy Splunking!

Have a unique use case you would like our Splunk experts to help you with? Contact us today!

By: Pete Chen | Splunk Practice Team Lead

Splunk can be a powerful tool in cybersecurity, infrastructure monitoring, and forensic investigations. While it’s great to use in the office, after-hour incidents require the ability to have data available immediately. Since most people carry a mobile device, such as a cell phone or a tablet, it’s easy to see how having dashboards and alerts on a mobile device can help bridge the information gap.

Splunk Mobile brings the power of Splunk dashboards to mobile devices, powered by Splunk Cloud Gateway. While Splunk Mobile is installed on a mobile device, Splunk Cloud Gateway feeds the mobile app from Splunk Enterprise. Between the two applications is Splunk’s AWS-hosted Cloud Bridge. Traffic between Splunk Enterprise and the mobile device is protected by TLS 1.2 encryption.

Architecture from Splunk

Splunk Cloud Gateway

Splunk Cloud Gateway is a standard app found on Splunkbase (link above). It can be installed through the User Interface (UI), or by unpacking the file to <SPLUNK_HOME>/etc/apps/. When installed through the UI, Splunk will prompt for a restart once installation is complete. Otherwise, restart Splunk once the installation package has been unpacked into the Apps folder.

After restart, Splunk Cloud Gateway will appear as an app on Splunk Web. Browse to the app, and these are the pages available in the app:

The first page allows for devices to be manually registered. When Splunk Mobile is opened for the first time (or on a device not registered to another Splunk Cloud Gateway instance), an activation code will appear at the center of the display. That code can be used to register the device on Splunk. The “Device Name” field can be any value, used to identify that particular device. It’s helpful to identify the main user of the device and the type of device.

Skipping over Devices until a device is registered, and putting aside Splunk > AR for another time, the next important section is the “Configure” tab. At the top of the page, all the deployment configurations are listed. The Cloud Gateway ID can be modified through a configuration file to better reflect the environment. A configuration file can be downloaded for a Mobile Device Manager (MDM). This is also where the various products associated with Splunk Connected Experiences can be enabled.

In the Application section, look for Splunk Mobile. Under the Action column, click on Enable. This must be done before a device can be registered.

The App Selection Tab is where apps can be selected, based on each user’s preference, to determine which dashboards are visible through Splunk Mobile. When no apps are selected, all available dashboards are displayed. Select the apps desired by clicking them from the left panel, and they will appear on the right panel. Be sure to click save to commit the changes.

A couple of things to point out in this section.

• Again, if an app is not selected, all available dashboards to the user will appear on Splunk Mobile.
• Management of apps is based on the user, not centrally managed. During the registration of a device, a user must log in to authenticate. The apps selected in this page will be the same for all devices registered under this user.
• Even if apps are specified, all dashboards set with global permissions will still be visible to the user.
• To eliminate all dashboards and control what is viewable requires setting all dashboards to app-only permissions, and creating a generic app without dashboards. When this app is selected, and after all dashboards are converted to app-only permissions, no dashboards will appear.

The final tab is the dashboard for Splunk Cloud Gateway. This dashboard shows the status of the app, and provides metrics of usage. The top three panels may be the most important when first installing Cloud Gateway. If the service doesn’t seem to be working correctly, these three panels will help in troubleshooting the service.

Splunk Mobile

Installing Splunk Mobile on a mobile device is as simple as going to the app store, and having the device set up the app. Once the app is ready, launching the app will bring up a registration page. On this page, there is a code needed to register the device with Splunk Cloud Gateway. Below is a secondary code. This is used to verify with Cloud Gateway, making sure the device is registered with the correct encryption key.

With the code above, return to Splunk Cloud Gateway, and register the device. Type in the activation code from Splunk Mobile. Enter in a device name, as explained above. Click on “Register” to continue.

Validate the confirmation code displayed in the UI with the code displayed on the device. If the codes don’t match, stop the registration process. If the codes do match, enter credentials for Splunk, and click “Continue”.

At this point, the device is registered with Splunk Cloud Gateway. Validate the device name in the Registered Devices page. Make sure the Device Type, and the Owner matches the device and user. If necessary, “Remove” is available to remove a device from Cloud Gateway.

From a mobile perspective, the initial page displayed is the list of potential alerts.

At the bottom of the screen, tap on “Dashboards” to see the list of dashboards available to the mobile device. Without any additional configuration, all available Splunk dashboards should appear in the list. Click on any dashboard.

As an example, when the Cloud Gateway Status Dashboard is selected, the dashboard opens and allows for a time-selector at the top of the page. The panels available from the UI are displayed in a single column on the mobile device.

Points to Consider

Now that Splunk Mobile and Splunk Cloud Gateway are configured, and ready to be used, here are some points to consider in an Enterprise deployment.

• When installing on a search head cluster, Splunk Cloud Gateway must be installed on the cluster captain. The captain runs some of the scripts necessary to connect Cloud Gateway to the Spacebridge.
• All dashboards set with global permissions will appear. To limit visibility, set dashboard permissions to app-only or private.
• During device registration, the credentials used will determine the dashboards and alerts available to the device. Configuration is user-based, not centrally controlled.
• Trellis is not a supported feature of Splunk Mobile. Dashboards with panels using trellis will need to be reconfigured.
• Panel sizing and scaling is not adjustable at this time. Some dashboard re-design may be necessary to tell the best story.
• Pay special attention to how long dashboards take to load. From a mobile perspective, dashboards will need to load faster for the mobile user.

Want to learn more about Splunk Mobile and Splunk Cloud Gateway? Contact us today!

By: Pete Chen | Splunk Team Lead

Overview

Splunk installation is complete. Forwarders are sending data to the indexers, search heads successfully searching the indexers. The next major step is to add central authentication to Splunk. Simply put, you log into your computer, your email, and your corporate assets with a username and password. Add Splunk to the list of tools available to you with those credentials. This also saves the time and hassle of creating user profiles for everyone who needs access to Splunk. Before embarking on this step, it’s important to develop a strategy for permissions and rights. This should answer the question, “who has access to what information?”

LDAP Basics

LDAP stands for Lightweight Directory Access Protocol. The most popular LDAP used by businesses is Microsoft’s Active Directory. The first step in working with LDAP is to determine the “base DN”. This is the name of the domain. Let’s use the domain “splunkrocks.local” as an example. In LDAP terms, it can be expressed as dc=splunkrocks,dc=local. Inside of the DN are the organizational units, OU’s. So an example of an organizational unit expressed is ou=users,dc=splunkrocks,dc=local.

Most technical services require some sort of authentication to access the information they provide. The credentials (username and password) needed to access the LDAP server is called the “BindDN”. When a connection is requested, the AD server will require a user with enough permissions to allow user and group information to be shared. In most business environments, the group managing Splunk will not be the same group managing the LDAP server. It’s best to ask for an LDAP administrator to type in the credentials during the setup process. The LDAP password is masked while it’s being typed and is hashed in the configuration file.

Keep in mind that connecting Splunk to the LDAP server doesn’t complete the task. It’s necessary to map LDAP groups to Splunk roles afterward.

Terms

LDAP: Lightweight Directory Access Protocol

AD: Active Directory

DN: Distinguished Name

DC: Domain Component

CN: Common Name

OU: Organizational Unit

SN: Surname

Sample Directory Structure

Using our sample domain, Splunkrocks Local Domain (splunkrocks.local), let’s assume an organizational unit for Splunk is created called “splunk”. Inside this OU, there are two sub-organizational units, one for users, one for groups. In Splunk terms, these are users and roles.

Connecting Splunk to LDAP

From the main menu, go to Settings, and select Access Control.

Select Authentication Method

Select LDAP under External Authentication. Then click on Configure Splunk to use LDAP

In the LDAP Strategies page, there should not be any entries listed. At the top right corner of the page, click on New LDAP to add the Splunkrocks AD server as an LDAP source. Give the new LDAP connection a name.

The first section to configure is the LDAP Connection Settings. This section defines the LDAP server, the connection port, whether the connection is secure, and a user with permission to bind the Splunk server to the LDAP server.

The second section determines how Splunk finds the users within the AD server.

–        User base DN: Provide the path where Splunk can find the users in on the AD server.

–        User base filter: This can help reduce the number of users brought back into Splunk.

–        User name attribute: This is the attribute within the AD Server which contains the username. In most AD servers, this is “sAMAccountName”.

–        Real name attribute: This is the human-readable name. This is where “Ben Baker” is displayed” instead of “ben.baker”. In most AD servers, this is the “cn”, or Common Name.

–        Email attribute: this is the attribute in AD which contains the user’s email.

–        Group mapping attribute: If the LDAP server uses a group identifier for the users, this will be needed. It’s not required if distinguished names are used in the LDAP groups.

The second section determines how Splunk finds the groups within the AD server.

–        Group base DN: Provide the path where Splunk can find the groups in on the AD server.

–        Static group search filter: search filter to retrieve static groups.

–        Group name attribute: This is the attribute within the AD server which contains the group names. In most AD servers, this is simply “cn”, or Common Name.

–        Static member attribute: The group attribute with the group’s members contained. This is usually “member”.

The rest can be left blank for now. Click Save to continue. If all the settings are entered properly, the connection will be successful. A restart of Splunk will be necessary to enable the newly configured authentication method.  Remember, adding LDAP authentication is the first part of the process. To complete the setup, it’s also necessary to map Splunk roles to LDAP groups. Using the access and rights strategy mentioned above, create the necessary Splunk roles and LDAP groups. Then map the roles to the groups, and assign the necessary group or groups to each user. Developing this strategy and customizing roles is something we can help you do, based on your needs and best practices.

Want to learn more about connecting Splunk to LDAP? Contact us today!