Integrating Logging with Splunk App

This section describes how to configure the CipherTrust Manager and Thales Security Intelligence app (a Splunk app) for the CM Dashboard of the app.

App Configuration for CM Dashboard

The Thales Security Intelligence app is written for flexibility, however, this means, more configuration steps are required for the app to work correctly with the log data (for example, Splunk indexes and input).

Create the CipherTrust Manager Splunk Index

The Splunk index is for the general CipherTrust Manager log data. Perform the following steps to create indexes to specifically hold the CipherTrust Manager log data from your CipherTrust Manager appliances, both virtual and physical.

1. Log on to your Splunk server.

2. From the top menu, click Settings > Indexes.

   

3. At the top right, click the New Index button.

   

4. In the New Index dialog box, specify the Index Name (for example, cm).

5. From the App drop-down list, select Thales Security Intelligence.

   

6. Click Save.

The Indexes page is refreshed with the new index in the list.

Create Splunk Data Input (TCP/UDP)

By default, the Thales Security Intelligence app is not configured to obtain the CipherTrust Manager log data on any port. So, the data input ports must be added.

To add the data input ports:

1. From the Splunk menu, click Settings > Data inputs.

   

2. On the Data inputs page, click + Add new for the TCP or UDP Type.

   

3. Add the desired Port (for example, UDP/5514 or TCP/6514) and click Next >.

   

4. Specify the Input Settings.

   1. Next to the Source type section, click Select, then select cm-st from the drop-down list.

      Note

      The custom Splunk source type cm-st is created when you install the Splunk app.

   2. From the App Context drop-down list, select the Thales Security Intelligence app.

   3. Select IP as the Method.

   4. Select the Index created in the steps above.

   5. Click Review >.

   

5. On the Review page, review the information. To make any changes, click Back and update the details. If the information is correct, click Submit >.

Add User Role Access to Indexes

By default, Splunk uses the main or default index when performing searches if no index is specified. You can add the newly created CipherTrust index to the Splunk Role that will have access to view the Thales Security Intelligence App Dashboards.

To add the user role access to indexes:

1. From the Splunk menu, click Settings > Roles.

   

2. On the Roles page, select the role to modify (for example, user).

   

   Note

   The next steps apply to Splunk 8 and higher versions.

3. On the Edit Role user page, click the Indexes tab.

   

4. Scroll down the list of indexes until the cm entry is displayed.

   

5. Select the Default check box to add the index to default searches.

6. Click Save.

Configure the Syslog Server on CipherTrust Manager

Configure the CipherTrust Manager to send Syslog data to the Splunk server on the port specified earlier (for example, UDP/5514 or TCP/6514).

1. Log on to the CipherTrust Manager GUI.

2. Click Admin Settings > Syslog > Add Syslog Server.

   

3. Enter the Syslog server details.

   

4. Click Add Syslog Server.