In the distributed deployment scheme, you must configure Forwarder App on the basis of the organization of your distributed Splunk environment. For example, the configuration changes may include changing the Feed Service address used by the apps, or adding new event sources for Forwarder App. For Search Head App, you may have to configure the email addresses for alerts.
Configuration actions for Forwarder App and Search Head App
For Forwarder App, you may have to do the following:
:9998
. For all other Forwarder Apps, disable this rule by specifying true
in the disabled
parameter for this rule in the Forwarder App configuration file. The IP address and port of the Forwarder App that will receive events from Kaspersky CyberTrace must be specified in the OutputSettings > ConnectionString
parameter in the Feed Service configuration file.For Search Head App, you may have to do the following:
Restart Splunk and Feed Service after you make changes to the configuration files.
Edit only those Forwarder App and Search Head App configuration files that are described in this section. Editing other configuration files may result in unpredictable behavior.
Configuration files (distributed deployment)
The following table summarizes configuration files used by Forwarder App and Search Head App in the following distributed deployment scheme variants:
Configuration files of Forwarder App and Search Head App
Application |
Configuration file |
Default rules |
---|---|---|
Forwarder App |
|
Receives data from sources at port Receives events from Kaspersky CyberTrace at |
Forwarder App |
|
Forwards data to |
Forwarder App |
|
Parse data received at |
Search Head App |
|
Rules for the lookup script. For more information, see section "Step 3 (optional). Configuring the lookup script". |
Search Head App |
|
Rules for alert templates. |
Default data parsing rules
The way in which Forwarder App parses incoming data is defined in the props.conf file. By default, Forwarder App does the following:
For example, if the incoming data has the sequence "%data_1%\n\n%data_2%"
and the line breaker is one or more \n
symbols, Splunk splits this sequence into two events (%data_1%
and %data_2%
).
The following are the default rules used by Forwarder App to parse incoming data.
TIME_PREFIX = ^ MAX_TIMESTAMP_LOOKAHEAD = 17 TIME_FORMAT = %b %d %H:%M:%S LINE_BREAKER = ([\n]+) SHOULD_LINEMERGE = false |
Changing the address and port for forwarding data to Feed Service
By default, Forwarder App is configured to forward data to Feed Service at 127.0.0.1:9999
.
To change the address and port for forwarding data to Feed Service,
In the outputs.conf
configuration file, in the [tcpout:service9999]
section, specify the new address and port for the server
parameter that will be used by Feed Service.
In the following example, 192.0.2.100:9999
is specified as the Feed Service address.
[tcpout:service9999] disabled=false server = 192.0.2.100:9999 sendCookedData = false |
Adding new event sources
To add new event sources, edit the inputs.conf and props.conf configuration files of the app.
To add a new event source:
service9999
TCP routing rule.All data from this input will be forwarded to Feed Service.
Make sure that data from the new event source matches the Feed Service regular expressions defined in the Feed Service configuration file.
Below is an example of adding the address :3001
as the event source; it specifies that data from the address :3001
must be processed as other input data in the default integration scheme (in this scheme, the forwarder, indexer, and search head are installed on a single computer).
# to inputs.conf [tcp://:3001] _TCP_ROUTING = service9999
# to props.conf [source::tcp:3001] TIME_PREFIX = ^ MAX_TIMESTAMP_LOOKAHEAD = 17 TIME_FORMAT = %b %d %H:%M:%S LINE_BREAKER = ([\n]+) SHOULD_LINEMERGE = false |
If Splunk Forwarder is already configured for receiving events from different event sources and you want to send events to Feed Service, perform the following procedure. This can be done if the server
field of the outputs.conf configuration file of Forwarder App contains the IP address and port that are specified in the InputSettings > ConnectionString
element of the Feed Service configuration file.
To forward events to Feed Service:
%SPLUNK_DIR%/etc/system/local/inputs.conf
file), in the defaultGroup
field, add a comma and a string service9999
.In this case, check the event forwarding logic and make sure that events that arrived from Feed Service are not sent again to Feed Service by Splunk.
If the inputs.conf configuratioin file contains the _TCP_ROUTING
parameter for those event sources, the events from which are sent to Feed Service, add a comma and the service9999
string to the _TCP_ROUTING
parameter.
Configuring Forwarder App to send events to indexes
By default, events that are sent from Forwarder App to Feed Service are not registered in the indexes. You can change this behavior by configuring Forwarder App.
To configure Forwarder App to send events to the main index:
%SPLUNK_HOME%\etc\system\local\outputs.conf
file, locate the name of the target group that is used for sending events to the Indexer (or multiple Indexers). Here %SPLUNK_HOME%
is the Splunk installation directory.By default, the name of this group is default-autogroup-lb:
[tcpout: default-autogroup-lb]
inputs.conf
file used by the Forwarder App, locate the section with service9999
TCP routing rule:_TCP_ROUTING = service9999
For example, if the name of the target group is default-autogroup-lb, the rule must be changed in the following way:
_TCP_ROUTING=service9999, default-autogroup-lb
Adding email addresses to alert templates
Kaspersky CyberTrace App comes with several alert templates that you can use and customize from the Alerts dashboard.
Following alert templates are available:
This alert is triggered if there were matches with Kaspersky Threat Data Feeds in the past 24 hours.
This alert is triggered if there were no matches with Kaspersky Threat Data Feeds in the past 24 hours.
This alert is triggered if there were 5000 matches with Kaspersky Threat Data Feeds in the course of one minute.
This alert is triggered if Feed Service is unavailable.
This alert is triggered when Feed Service is started.
Following are the default Kaspersky CyberTrace App settings:
To turn them off, use the Alerts dashboard.
Send email
" action is defined for all alerts.Splunk will send an email message to the email address specified for the action.
Send email
" action.If you want to test the alert templates, add a valid email address to each alert.
You can either use the Splunk program interface to edit alerts or edit the savedsearches.conf file of Search Head App.
To add an email address to an alert template:
action.email.to
parameter for the alert template.In the following example, the email address user@example.com
is added to an alert template.
#... action.email.to = user@example.com #... |