Table of Contents

OVERVIEW

• About the TA-Savvius-nix and TA-Savvius-win technology add-on's
• Support and resources

INSTALLATION

• Hardware and software requirements
• Installation steps
• Performance Benchmarks
• CSV Files and Splunk Indexes

OVERVIEW

About the Savvius for Splunk Network Dashboards

• Author: Savvius
• App Version: 1.0
• Vendor Products: Savvius Omnipliances Cx/MX/TL and OmniPeek Capture Engine 9.0
• Has index-time operations: false
• Create an index: false
• Implements summarization: false

Introduction

The TA-Savvius-nix and TA-Savvius-win technlogy add-on's configure a Splunk Forwarder to send data from an Omnipliance (Linux) or an OmniPeek Capture Engine (Windows) to a Splunk Server running the Savvius for Splunk dashboards. The technology add-on's tell the Splunk Forwarder where to find the CSV files generated by the Capture Engine, and what to do with them.

The Savvius For Splunk App can be found here:

https://splunkbase.splunk.com/app/2730

The technology add-on's can be found here:

TA-Savvius-nix - https://splunkbase.splunk.com/app/2746/
TA-Savvius-win - https://splunkbase.splunk.com/app/2747/

About this release

Version 1.0 of the TA-Savvius-nix is compatible with:

• Splunk Universal Forwarder: 6.2 and above
• CIM: n/a
• Platforms: Platform independent
• Vendor Products: Savvius Omnipliance 9.0 CX/MX/TL (Linux)
• Lookup file changes: n/a

Version 1.0 of the TA-Savvius-win is compatible with:

• Splunk Universal Forwarder: 6.2 and above
• CIM: n/a
• Platforms: Platform independent
• Vendor Products: Savvius OmniPeek Capture Engine 9.0 (Windows)
• Lookup file changes: n/a

Support and resources

The Savvius for Splunk Network Dashboards are supported by Savvius for customers who have purshased maintenance with their Savvius products.

• Hours: Mon-Fri 9-5
• Observed holidays: Closed on major US holidays.
• Email: support21c@savvius.com

INSTALLATION AND CONFIGURATION

Hardware and software requirements

Hardware requirements

Savvius for Splunk supports the following server platforms in the versions supported by Splunk Enterprise:

• Windows (requires TA-savvius-win)
• Linux (requires TA-savvius-nix)

Installation steps

Important: These instructions are for the TA only. To view the data, download the Savvius for Splunk Network Dashboards for the Splunk Server at https://splunkbase.splunk.com/app/2730

Installation Instructions

TA-Savvius-nix

How to install Splunk Forwarder on Omnipliance

1. Download the Splunk Universal Forwarder from splunk.com
2. copy forwarder to /opt
3. Install Forwarder
4. >cd /opt
5. >gunzip splunkforwarder-VERSION.tgz
6. >tar xvf splunkforwarder-VERSION.tar
7. >cd /opt/splunkforwarder/bin
8. >./splunk enable boot-start
9. >./splunk start
10. >./splunk add forward-server hostname.domain:9997

How to install Savvius TA

1. Download the ta-savvius-nix_VER.tgz file from Splunkbase onto the Omnipliance
2. Copy the file to /tmp
3. Install the app from the cmd line:
4. >./splunk install app /tmp/ta-savvius-nix_VER.tgz
5. >./splunk restart
6. >./splunk list forward-server
7. Ensure that Splunk server is in the active list

How to configure receiving on the Splunk Server

1. From the Splunk UI goto Settings->Forwarding and receiving
2. Select “Configure receiving”
3. Select New
4. Enter 9997 for the port
5. Select Save
6. Or from the command line: >./splunk enable listen 9997

How to configure capture engine (9.0.3) to send data to Splunk server

1. service omnid stop
2. edit /etc/omni/omni.conf
3. add the following line to /etc/omni/omni.conf: "reportspath /var/lib/omni/data/statistics"
4. service omnid start

How to Configure the Capture

1. On your Capture Engine, create a capture called “Splunk”.
2. Enable Statistics Output
3. Select an interval
   o 10 minutes is a good default
   o The smaller the interval the longer components take to refresh in the Splunk App
4. Select CSV report
5. Enable Reset Statistics
6. Select Set Schedule
7. Select “Every time”
8. Specify how many files to keep. 1 should be fine. More allows the Splunk server to go down for longer periods of time and still catch up.

Changing the Capture name

The reason for the capture name of “Splunk” is because the inputs.conf file in the TA tells the Splunk forwarder which capture to collect CSV files for. If the capture is named something different, then change the name of the folder in the inputs.conf file to match the capture name. “…” can be used in place of the capture name to collect CSV report files from all captures.

Performance Benchmarks

In order for an Omnipliance or an OmniPeek Capture Engine to generate analysis that can be saved to CSV files and ingested into Splunk, certain Analysis Options have to be enabled. Which Analysis Options are enabled depends on what types of analysis will be useful to you. It is important to understand that the more analysis enabled, the lower the performance is going to be. Performance in this case is how much traffic can be captured.

When creating your Splunk captures, be sure and go to the Analysis Options Tab in the Capture Options Dialog. Here is where the analysis options are configured. By default, everything will be enabled. With everything enabled, the analysis performance, or maximum data rate that can be captured and processed, although dependent on many factors like packet size, number of nodes, protocols, etc.., will be less than 1Gbps. By selectivly disabling analysis that is not important to you, performance will increase siginificantly.

Performance can also be increased by using a smart tap to load balance the traffic over multiple captures on different ports, as well as multiple Omnipliances and OmniPeek Capture Engines.

CSV Files and Splunk sourcetype

In order to generate CSV files that Splunk can index, Analysis Options have to be enabled for the Splunk capture. Each type of CSV file has a list of fields as the first row of the file. The Savvius for Splunk Dashboards uses a seperate sourcetype for each of the different types of CSV files that are imported from the Splunk Forwarder into the Splunk Server. Some of the files share the same data-model and use the same sourcetype. The name of each sourcetype is listed below along with the file of files that it is associated with:

1. sv_nodes - (Node Statistics-IP.csv, Node Statistics-IPv6.csv, Node Statistics-Physical.csv) List of nodes with byte and packet counts for each
2. sv_apps - (Application Statistics.csv) List of applications with byte and packet counts for each
3. sv_protocols - (Protocol Statistics-Instance.csv) List of protocols with byte and packet counts for each
4. sv_flows - (Expert Flow Statistics.csv) List of flows with bytes, packets, response times, and many other stats for each
5. sv_event_counts - (Expert Event Counts.csv) List of expert events and number of each
6. sv_summaries - (Summary Statistics.csv) List of all summary stats by group with bytes and packets, or value for each
7. sv_voip - (VoIP Call Statistics.csv) List of VoIP calls, and statistics for each
8. sv_media - (VoIP Media Statistics.csv) List of VoIP media flows, and statistics for each
9. sv_appresponse - (Expert Application Statistics.csv) List of appliations and response time for each
10. sv_events - (Expert Event Log.csv) List of all events