IBM DataPower Add-on for Splunk¶
About the IBM Secret Server Add-on for Splunk¶
| Version | 0.1.1 |
| Vendor Products | IBM Security Secret Server 10.5.0 or newer |
| Visible in Splunk Web | No. This add-on contains no dashboards. |
The IBM Secret Server Add-on for Splunk brings field extractions from IBM Secret Server syslog data to Splunk platform. This add-on does not collect any data.
Download the IBM Secret Server Add-on for Splunk from Splunkbase.
For a summary of new features, fixed issues, and known issues, see Release Notes for the IBM Secret Server Add-on for Splunk.
For information about installing and configuring the IBM Secret Server Add-on for Splunk, see Installation and configuration overview for the IBM Secret Server Add-on for Splunk.
See Questions related to IBM Secret Server Add-on for Splunk on Splunk Answers.
Release notes¶
About this release¶
This version of the IBM Secret Server Add-on for Splunk is compatible with the following software, CIM versions, and platforms.
| Splunk software versions | 7.1 or later |
| CIM | 4.7 or later |
| Platforms | Platform independent |
| Vendor Products | IBM Security Secret Server 10.5.0 or newer |
New features¶
This version of the IBM Secret Server Add-on for Splunk contains the following new features.
Fixed issues¶
This version of the IBM Secret Server Add-on for Splunk contains the following fixed issues.
| Date resolved | Issue number | Description |
Known issues¶
This version of the IBM Secret Server Add-on for Splunk has the following known issues.
| Date filed | Issue number | Description |
Hardware and software requirements¶
To install and configure the IBM Secret Server Add-on for Splunk, you must have the admin role in the Splunk platform.
IBM Secret Server setup requirements¶
Splunk platform requirements¶
Because this add-on runs on the Splunk platform, all of the system requirements apply for the Splunk software that you use to run this add-on.
For Splunk Enterprise system requirements, see System Requirements in the Splunk Enterprise Installation Manual. If you plan to run this add-on entirely in Splunk Cloud, there are no additional Splunk platform requirements. If you are managing on-premises forwarders to get data into Splunk Cloud, see System Requirements in the Splunk Enterprise Installation Manual, which includes information about forwarders.
Installation¶
Install the IBM SecretServer Add-on for Splunk¶
- Get the IBM SecretServer Add-on for Splunk by downloading it from Splunkbase or browsing to it using the app browser within Splunk Web.
- Determine where and how to install this add-on in your deployment, using the tables on this page.
- Perform any prerequisite steps before installing, if required and specified in the tables below.
- Complete your installation.
Distributed deployments¶
Reference the tables below to determine where and how to install this add-on in a distributed deployment of Splunk Enterprise or any deployment for which you are using forwarders to get your data in. Depending on your environment, your preferences, and the requirements of the add-on, you may need to install the add-on in multiple places.
Where to install this add-on¶
Unless otherwise noted, all supported add-ons can be safely installed to all tiers of a distributed Splunk platform deployment. See Where to install Splunk add-ons in Splunk Add-ons for more information.
This table provides a reference for installing this specific add-on to a distributed deployment of Splunk Enterprise.
| Splunk platform component | Supported | Required | Comments |
|---|---|---|---|
| Search Heads | Yes | Yes | Install this add-on to all search heads. |
| Indexers | Yes | Optional | Required for the parsing operations (sourcetype renaming) if the data is not coming from a heavy forwarder. |
| Heavy Forwarders | Yes | Yes | Required for the parsing operations (sourcetype renaming). |
| Universal Forwarders | No | No | This add-on requires heavy forwarders. |
Distributed deployment compatibility¶
This table provides a quick reference for the compatibility of this add-on with Splunk distributed deployment features.
| Distributed deployment feature | Supported | Comments |
|---|---|---|
| Search Head Clusters | Yes | You can install this add-on on a search head cluster for all search-time functionality. |
| Indexer Clusters | Yes | |
| Deployment Server | Yes | Supported for deploying via Deployment server |
Installation walkthroughs¶
The Splunk Add-Ons manual includes an Installing add-ons guide that helps you successfully install any add-on to your Splunk platform. For a walkthrough of the installation procedure, follow the link that matches your deployment scenario:
Configuration¶
Splunk¶
- Configure a new index (e.g. pam) for the new logs
The IBM SecretServer Add-on contains one base sourcetypes: - ibm:secretserver:cef - this should be used if you are sending data via UDP
Receiving syslogs on Splunk¶
NOTE: Its recommended to use a separate and dedicated syslog solution (e.g. rsyslog, syslog-ng, etc) - Configure new TCP port (e.g. 514) pointing to the new index using the “ibm:secretserver:cef” sourcetype
Monitoring log files¶
- Configure a new file monitor input pointing to the new index using the “ibm:secretserver:cef” sourcetype
IBM SecretServer¶
- Configure syslog outputs
For more information please refer to the IBM SecretServer documentation.
Troubleshooting¶
Support¶
Bugs & Support Issues¶
You can file bug reports on our GitHub issue tracker and they will be addressed as soon as possible. Support is a volunteer effort and there is no guaranteed response time.