Integration steps (Splunk)

This chapter describes how to integrate Kaspersky CyberTrace with Splunk.

About the integration schemes

Kaspersky CyberTrace can be integrated with Splunk in two integration schemes:

• Single-instance integration scheme

  In the single-instance integration scheme, Feed Service and the Splunk instance are configured to work on the same computer or on different computers.

• Distributed integration scheme

  In the distributed integration scheme, you install Feed Service, Search Head App, and Forwarder App in your distributed Splunk environment, and configure the service and the apps to interact with each other.

How to integrate Kaspersky CyberTrace with Splunk in the single-instance integration mode

To integrate Kaspersky CyberTrace with Splunk in the single-instance integration mode:

• Make sure that you have installed Kaspersky CyberTrace.

  In the single-instance integration scheme, Kaspersky CyberTrace and the Splunk instance are installed on the same computer or on different computers. By default, Kaspersky CyberTrace App for Splunk is configured to be installed on the same computer with Kaspersky CyberTrace. However, we recommend that you install Kaspersky CyberTrace on a separate computer; in this case, Feed Service must be configured during the installation and Kaspersky CyberTrace App for Splunk must be configured in step 2 (below).

• Step 1. Install Kaspersky CyberTrace App for Splunk.
• Step 2 (optional). Configure Kaspersky CyberTrace App for Splunk.

  This step is optional. If you skip this step, Kaspersky CyberTrace App for Splunk will use the default configuration. Email alerts will not be sent in this case.

  By default, Kaspersky CyberTrace App for Splunk uses port 9999 to send events to Kaspersky CyberTrace and port 9998 to receive events from Kaspersky CyberTrace. If these ports are used by another application, you must configure either Kaspersky CyberTrace App for Splunk or the other application to use different ports.

• Step 3 (optional). Configure the lookup script.

  This step is optional. If you skip this step, the lookup script will use the default configuration.

• Step 4. Perform the verification test.

  Please make sure you perform the verification test before editing any matching process settings.

How to integrate with Splunk in the distributed integration mode

To integrate Kaspersky CyberTrace with Splunk in the distributed integration mode:

• Make sure that you have installed Kaspersky CyberTrace.

  In the distributed deployment scheme, you can install Kaspersky CyberTrace on one of the computers that has Forwarder or Indexer already installed, or on a separate computer.

  In the distributed deployment scheme, you must configure Feed Service during the installation to receive events from other Splunk entities, such as forwarders and indexers, and send its own events to the indexer that stores the index used by Kaspersky CyberTrace App for Splunk.

• Step 1. Install Forwarder App and Search Head App.
• Step 2. Configure Forwarder App and Search Head App so that they can interact with each other and forward events to Kaspersky CyberTrace.
• Step 3 (optional). Configure the lookup script.

  This step is optional. If you skip this step, the lookup script will use the default configuration.

• Step 4. Perform the verification test.

  Please make sure you perform the verification test before editing any matching process settings.

Page top