Step 2. Configuring Forwarder and Search Head apps (distributed deployment)

In the distributed deployment scheme, you must configure Forwarder App on the basis of the organization of your distributed Splunk environment. For example, the configuration changes may include changing the Kaspersky CyberTrace Service address used by the apps, or adding new event sources for Forwarder App. For Search Head App, you may have to configure the email addresses for alerts.

Configuration actions for Forwarder App and Search Head App

For Forwarder App, you may have to do the following:

• Change the address and port for forwarding events to Kaspersky CyberTrace Service. See subsection "Changing the address and port for forwarding data to Kaspersky CyberTrace Service" below.
• Configure Forwarder App to send events to one or more Indexers. By default, events that are sent from Forwarder App to Kaspersky CyberTrace Service are not registered in the indexes. See subsection "Configuring Forwarder App to send events to indexes" below.
• If several Forwarder Apps are used, only one Forwarder App must receive events from Kaspersky CyberTrace at port 9998. For all other Forwarder Apps, disable this rule by specifying true in the disabled parameter for this rule in the Forwarder App configuration file. The IP address and port of the Forwarder App that will receive events from Kaspersky CyberTrace must be specified on the Settings > Service tab in Kaspersky CyberTrace Web.
• Add new event sources. See subsection "Adding new event sources" below.

For Search Head App, you may have to do the following:

• Add email addresses to alert templates.

Restart Splunk after you make changes to the configuration files.

Edit only those Forwarder App and Search Head App configuration files that are described in this section. Editing other configuration files may result in unpredictable behavior.

Configuration files (distributed deployment)

The following table summarizes configuration files used by Forwarder App and Search Head App in the following distributed deployment scheme variants:

• One indexer, multiple forwarders
• Multiple indexers, multiple forwarders

  Configuration files of Forwarder App and Search Head App

  Application	Configuration file	Default rules
  Forwarder App	\default\inputs.conf	Receives data from sources at port 3000 and forwards it as configured in outputs.conf. Receives events from Kaspersky CyberTrace at :9998 port.
  Forwarder App	\default\outputs.conf	Forwards data to 127.0.0.1:9999 (Kaspersky CyberTrace Service address).
  Forwarder App	\default\props.conf	Parse data received at :3000 and :9998. For a description of default data parsing rules, see subsection "Default data parsing rules" below.
  Search Head App	\default\savedsearches.conf	Rules for alert templates.

Default data parsing rules

The way in which Splunk parses incoming data is defined in the props.conf file. By default, it does the following:

• Defines how time stamps are extracted from incoming data.
• Defines a delimiter (line breaker) between events for incoming data.

  For example, if the incoming data has the sequence "%data_1%\n\n%data_2%" and the line breaker is one or more \n symbols, Splunk splits this sequence into two events (%data_1% and %data_2%).

The following are the default rules used by Forwarder App to parse incoming data.

Universal Forwarder cannot parse events. The parsing settings from props.conf will not run on Universal Forwarder. In this case, events will be parsed directly on Indexer. See Step 1. Installing Forwarder and Search Head apps.

Changing the address and port for forwarding data to Kaspersky CyberTrace Service

By default, Forwarder App is configured to forward data to Kaspersky CyberTrace Service at 127.0.0.1:9999.

To change the address and port for forwarding data to Kaspersky CyberTrace Service,

In the outputs.conf configuration file, in the [tcpout:service9999] section, specify the new address and port for the server parameter that will be used by Kaspersky CyberTrace Service.

In the following example, 192.0.2.100:9999 is specified as the Kaspersky CyberTrace Service address.

Adding new event sources

To add new event sources, edit the inputs.conf and props.conf configuration files of the app.

To add a new event source:

1. In inputs.conf, specify a new event source that uses the service9999 TCP routing rule.

   All data from this input will be forwarded to Kaspersky CyberTrace Service.

2. In props.conf, specify how data from this source must be processed.
3. Restart Splunk.

Make sure that data from the new event source matches the regular expressions used by Kaspersky CyberTrace.

Below is an example of adding the address :3001 as the event source; it specifies that data from the address :3001 must be processed as other input data in the default integration scheme (in this scheme, the forwarder, indexer, and search head are installed on a single computer).

If Splunk Forwarder is already configured for receiving events from different event sources and you want to send events to Kaspersky CyberTrace Service, perform the following procedure. This can be done if the server field of the outputs.conf configuration file of Forwarder App contains the IP address and port that are specified in the InputSettings > ConnectionString element of the Kaspersky CyberTrace Service configuration file.

To forward events to Kaspersky CyberTrace Service:

1. In the outputs.conf file that is used for forwarding events from Splunk (it can be either the outputs.conf file of a custom Splunk application or the %SPLUNK_HOME%/etc/system/local/inputs.conf file), in the defaultGroup field, add a comma and a string service9999.

   In this case, check the event forwarding logic and make sure that events that arrived from Kaspersky CyberTrace Service are not sent again to Kaspersky CyberTrace Service by Splunk.

   If the inputs.conf configuration file contains the _TCP_ROUTING parameter for those event sources, the events from which are sent to Kaspersky CyberTrace Service, add a comma and the service9999 string to the _TCP_ROUTING parameter.

2. Restart Splunk.

If required, ScannersCount settings in Kaspersky CyberTrace may be changed depending on the Splunk architecture.

Configuring Forwarder App to send events to indexes

By default, events that are sent from Forwarder App to Kaspersky CyberTrace Service are not registered in the indexes. You can change this behavior by configuring Forwarder App.

To configure Forwarder App to send events to the main index:

1. Locate the Forwarder that you want to configure. This Forwarder is typically a machine with Forwarder App installed. You must configure all Forwarders that are used in your distributed integration scheme.
2. On the Forwarder, in the %SPLUNK_HOME%\etc\system\local\outputs.conf file, locate the name of the target group that is used for sending events to one or more Indexers. Here %SPLUNK_HOME% is the Splunk installation directory.

   By default, the name of this group is default-autolb-group:

   [tcpout: default-autolb-group]

3. In the inputs.conf file used by the Forwarder App, locate the section with service9999 TCP routing rule:

   _TCP_ROUTING = service9999

4. Add the name of the target group to this rule.

   For example, if the name of the target group is default-autolb-group, the rule must be changed in the following way:

   _TCP_ROUTING=service9999, default-autolb-group

5. Restart Splunk on the Forwarder.

Configuring alert templates

For more information about configuring alert templates, see subsection "Configuring alert templates" in Step 2 (optional). Configuring Kaspersky CyberTrace App.