Step 1. Installing Forwarder and Search Head apps

In the distributed deployment scheme, you must install Forwarder App and Search Head App on the basis of the organization of your distributed Splunk environment. For more information about how to choose the computers where the apps must be installed, see the section about the distributed integration scheme.

Forwarder App is installed from the following files:

Search Head App is installed from the %service_dir%/integration/splunk/Kaspersky-CyberTrace-App-for-Splunk_Search-Head.tar.gz file.

Installing the apps

Forwarder App for Heavy Forwarder and Search Head App are installed from Splunk Web. The only difference in the installation process is the application file name.

Forwarder App for Universal Forwarder is installed directly on the host, since Splunk Universal Forwarder has no Splunk Web interface.

To install Forwarder App for Heavy Forwarder or Search Head App:

  1. Open Splunk Web for the Splunk instance where you want to install the app.
  2. In Splunk Web, go to the home page.
  3. On the home page, click the Manage Apps button.

    Manage Apps button

  4. On the Apps page, click the Install app from file button.

    Install app from file button

  5. In the Upload an app window, click Choose File and select the application file mentioned above in this section.

    Upload an app (Choose File)

    Choose File button

  6. In the Upload an app window, click the Upload button.

    Upload an app (Upload) [Search Head]

    Upload button

  7. In the Restart required window, click the Restart Splunk button.

    This step can be skipped, depending on the Splunk version. If Splunk does not display the Restart required window, skip this step.

    Restart Splunk button

  8. When Splunk starts again, the Forwarder App will be displayed in the list of installed apps. When Kaspersky Search Head App is installed, the Apps page will open with information about the successful installation of Kaspersky Search Head App. Kaspersky Search Head App will appear in the list of apps on the Splunk home page.

    Kaspersky Search Head App for Splunk in the list of apps

To install Forwarder App for Universal Forwarder:

  1. Unpack the Kaspersky-CyberTrace-App-for-Splunk_Universal-Forwarder.tar package and place the resulting files into the Splunk_TA_Kaspersky-CyberTrace-App-for-Splunk-Universal-Forwarder folder in the %SPLUNK_HOME%/etc/apps directory on your forwarder (%SPLUNK_HOME% is the Splunk installation directory).

    Make sure that the %SPLUNK_HOME%/etc/apps/Splunk_TA_Kaspersky-CyberTrace-App-for-Splunk-Universal-Forwarder directory contains default, metadata, and static directories, and the README.txt file.

  2. Copy %SPLUNK_HOME%/etc/apps/SplunkUniversalForwarder/default/inputs.conf to %SPLUNK_HOME%/etc/system/local/inputs.conf and indicate in two positions of the _TCP_ROUTING attribute value the name of the active group with indexers.

    If the file %SPLUNK_HOME%/etc/system/local/inputs.conf already exists, make configurations manually.

    By default, the name for this group is default-autolb-group. You can see the actual name for the indexers groups in the %SPLUNK_HOME%/etc/system/local/outputs.conf file. The default inputs.conf settings provide forwarding the Splunk Universal Forwarder internal logs to all sources, including Kaspersky CyberTrace. The steps above allow forwarding the Splunk logs only to indexers.

    An example of the %SPLUNK_HOME%/etc/system/local/inputs.conf file content is as follows:

    [monitor://%SPLUNK_HOME%/var/log/splunk/splunkd.log]

    _TCP_ROUTING = default-autolb-group

    index = _internal

     

    [monitor://%SPLUNK_HOME%/var/log/splunk/metrics.log]

    _TCP_ROUTING = default-autolb-group

    index = _internal

  3. Restart Splunk on Universal Forwarder:

    %SPLUNK_HOME%/bin/splunk restart

  4. Transfer all props.conf file lines from the Forwarder %SPLUNK_HOME%/etc/apps/Splunk_TA_Kaspersky-CyberTrace-App-for-Splunk-Universal-Forwarder/default/props.conf directory to the Indexer %SPLUNK_HOME%/etc/system/local/props.conf directory.

    If the file does not exist, create a new one.

    This step is necessary, as Universal Forwarder cannot parse events and the parsing settings from props.conf will not run on Universal Forwarder. In this case, events will be parsed directly on Indexer.

  5. Restart Splunk on Indexer:

    %SPLUNK_HOME%/bin/splunk restart

Page top