To use the Cb Protection App for Splunk, you must configure the Cb Protection Server for data output, and make modifications on both the system hosting the Cb Protection Server and on the Splunk server. The summary of these steps is as follows:
A. Configure your Cb Protection server to export data.
B. Enable your Splunk server to collect Cb data.
C. Install the Cb Protection app on your Splunk server.
D. If you have additional indexers beyond your Splunk server, install the Cb Protection app on those indexers.
E. Install the Splunk Universal Forwarder on your Cb Protection server machine to send the logs to Splunk.
F. Install the Cb Protection app on your Splunk Universal Forwarder to inform it where the Cb Protection data export is located.
server
in the Root URL field with the address of your Splunk Web server.You must complete several procedures on the Splunk Server to enable use of Cb Protection data. First, configure the Splunk server to receive forwarder data on port 9997.
cb-protection-app-for-splunk_20.tar.gz
to a convenient location on the server.cb-protection-app-for-splunk_20.tar.gz
file. and then click Upload.cb-protection-app-for-splunk_20.tar.gz
file you downloaded to the \etc\apps
subdirectory under the Splunk indexer installation directory. For example, if you are running a 64-bit OS on the Splunk indexer machine: C:\Program Files\Splunk\etc\apps\
cd \Program Files\Splunk\bin
.\splunk restart
Important
During the Splunk Universal Forwarder installation process, do not enter the location of the data files on the Cb Protection Server when prompted. The location of these files will be provided by the Cb Protection App for Splunk.
Once the Splunk Universal Forwarder is installed, install the Cb Protection under the Splunk Universal Forwarder installation directory:
cb-protection-app-for-splunk_20.tar.gz
file you downloaded to the \etc\apps
subdirectory under the Splunk Universal Forwarder installation directory. For example, if you are running a 64-bit OS on the Cb Protection Server: C:\Program Files\SplunkUniversalForwarder\etc\apps\
bit9-secapp
directory and create a new directory named local
.default\inputs.conf
into the local
directory.local\inputs.conf
to point to the location of the Export Directory configured on the Cb Protection console System Configuration/External Analytics page, and save the file. For example, if the Export Directory on the Cb Protection Server is D:\Bit9\LogFiles
, the first line of inputs.conf
should be changed to the following:[monitor://D:\Bit9\LogFiles\*.bt9]
cd \Program Files\SplunkUniversalForwarder\bin
.\splunk restart
When you have completed all of these steps, the Cb Protection-Splunk integration should be complete and data from Cb Protection should begin flowing to Splunk. Please click on the Contact link if you have questions.
Our AppID has changed from "TA_bit9" to "bit9-secapp", so if you upgrade from the old one, you will notice that there are now two instances of our app (in the menus, on the main screen, and so forth). Go back to the Apps management screen and click “Disable” next the 1.0.1 version of the app. You should then go into the Bit9 console and under System Configuration > External Analytics, edit the Relative URL entries, changing "TA-bit9" to "bit9-secapp".
New feature: The "New Unapproved Files" pivot table lets you easily zero in on which processes and files are generating the most unapproved-file traffic, making it easier to define rules to reduce the amount of "noise" in your Cb Protection environment.
Requires Cb Protection (formerly Bit9) version 7.2 or higher.
Includes some bug fixes and performance improvements.
Requires Bit9 Security Platform version 7.2. Includes some bug fixes and performance improvements. If you have installed version 1.0 of this app before, this version requires overinstall on forwarders and indexers as well as search heads.
Requires Bit9 Security Platform 7.2 or greater.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.