This document describes the CloudPassage App for Splunk Enterprise and explains how to set up, configure, and get started using the App.
The purpose of the CloudPassage App for Splunk Enterprise is to import Halo event data into Splunk Enterprise and allow it to be manipulated by Splunk users and displayed on Halo-specific pages within Splunk Enterprise. The App includes several Halo specific event display screens for reporting event results and summaries.
For event import, the App uses the script-based Modular Input tool. The Modular Input script retrieves event data from a CloudPassage Halo account and imports it into Splunk Enterprise for further processing.
Retrieving events. The script is designed to execute repeatedly, keeping Splunk up-to-date with Halo events as time passes and new events occur:
The first time the script runs, it by default retrieves all logged events within the past 90 days from a single Halo account. Then the script creates a file, writes the timestamp of the last-retrieved event in it, and saves it as a checkpoint. You may find the checkpoint file in /Splunk/var/lib/splunk/modinputs.
Every subsequent time the script runs, it retrieves only those events that were created after the timestamp stored in the checkpoint.
During any script run, if no new events have occurred since the last run, no events are retrieved or imported into Splunk.
Output formats. The script receives event data from Halo in Halo's native JavaScript Object Notation (JSON) format, which you can view in Splunk after the data has been imported.
Authentication to the Halo API. CloudPassage Halo requires the Modular Input script to pass a valid Halo API key pair in order to obtain event data. You can find the Halo API key pair in CloudPassage Halo Portal. We recommend using an auditor (read-only) API key pair with the necessary server group scope.
To get started, you must have the following:
An active CloudPassage Halo subscription. If you don't have one, Register for CloudPassage to receive your credentials and further instructions by email.
Access to your CloudPassage API key. Best practice is to create a new read-only key specifically for use with this script.
Splunk Enterprise Server 7.0 or later. You can download Splunk Enterprise Server from here.
You can obtain the CloudPassage app through Splunkbase.
To install the CloudPassage App for Splunk Enterprise, first log into Splunk Enterprise. After you have successfully logged in, click on the gear icon next to Apps on the top left of your screen then click on Browse more apps, this will take you to the Splunk Apps page.
On the Splunk Apps page, search for “CloudPassage” to find the “CloudPassage App for Splunk Enterprise”. Click Install to install the app.
Regardless of how you install the CloudPassage App, once you are successful it appears in the Splunk Enterprise dashboard, like this:
All events will be written to an index named "cloudpassage". Make sure to create the index via the Splunk GUI before activating the CloudPassage App.
The index name must be "cloudpassage", all other parameters is up to the user to decide.
After installing the CloudPassage App, configure it by obtaining required Halo information, specifying the Modular Input configuration settings in a configuration file, and entering additional data input settings within Splunk Enterprise. Once you have done that, execution of the App is automatic.
The Modular Input is a python script that makes calls to the CloudPassage API. The script is required to authenticate itself to Halo during every session; therefore, you (as a Halo user) need to make your CloudPassage API Key available to the script.
If you do create an API key, we recommend that, as a best practice, you create a read-only key. A read-only key is all that you need to be able to retrieve Halo event data.
Now integrate your installed CloudPassage App into Splunk Enterprise.
Log into your Splunk Enterprise installation. Choose Data Inputs from the Settings menu.
Click on CloudPassage Splunk Connector dialog box opens.
You add new types of data to Splunk Enterprise by telling it about them. There are a number of ways you can specify a data input, either in terms of its type or by its source. The Modular Input script is a source that collects data for Splunk by connecting to the CloudPassage Grid and using the Halo Event API. That is the source type that you will select.
Click on the Add new dialog box opens:
Fill in these fields:
/Splunk/var/lib/splunk/modinputs. api.cloudpassage.com. If your CloudPassage API hostname is different from the default setting, please specify here.Click Save.
When it has finished adding the new data source, Splunk displays a success message:
You're done! The Modular Input script is now running, automatically providing events to Splunk for indexing.
The CloudPassage App provides several interactive pages that allow you to view and manipulate your Halo data from many different perspectives. Once the script runs successfully and is incorporating event data into Splunk, you will see Halo events such as the following appear in your CloudPassage App within Splunk Enterprise.You're done! The Modular Input script is now running, automatically providing events to Splunk for indexing.
CS-537: add per_page as modular input, default=100, max=500
CS-538: fix Not supported proxy scheme None
Read api hostname from data input
Fixed issue where latest event duplicates on interval runs.
Added SDK retry logic into App.
Delayed retry up to 5 times if grid returns a 500 on Api request.
Able to retrieve all events from 90 days ago.
Does not have 5000 event daily limit count.
The CloudPassage App for Splunk is now proxy-aware. If you connect outbound via a proxy server in your environment, you can now specify the IP address or FQDN of the proxy server for Splunk to connect to.
The CloudPassage Halo Secret key input field is now asterisked and not in clear text.
Minor bug fixes.
Fixed issue while trying to regenerate authentication token.
Fixed issue where the Halo Event Search dashboard was not displaying drill-downs correctly for all event types.
Fixed an issue where Halo Event Search was not displaying events correctly on drill-down.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.