Integrating CTE Logging with Splunk
The Thales Security Intelligence app for Splunk is created and published to the Splunkbase repository. This app provides a number of security intelligence reports and enables search operations that can be used to extract information from the log streams produced by CTE agents and the CipherTrust Manager.
Read the subsequent sections for instructions to integrate the CTE audit logging with Splunk.
Prerequisites
Before proceeding, ensure that:
CipherTrust Manager is up and running.
CTE clients are registered with the CipherTrust Manager.
You have a valid account on Splunkbase.
Integration Steps
To integrate CTE audit logs with Splunk:
After successful integration, the CTE agent logs will be forwarded to the configured Splunk server over the configured protocol.
Install Splunk
First of all, install the supported Splunk version on a target system. This release supports Splunk 7 and 8. Refer to the Splunk Installation Manual for details.
After you have installed Splunk successfully, install the Thales Security Intelligence app. Refer to Install Thales Security Intelligence App for details.
Install Thales Security Intelligence App
To install the Thales Security Intelligence app:
Log on to your Splunkbase account.
Search for the Thales Security Intelligence app.
Install the app.
Refer to the Splunk documentation for details.
The next step is to configure the CipherTrust Manager to forward CTE audit log messages to Splunk. Refer to Configure CipherTrust Manager to Forward Messages to Splunk for details.
Configure CipherTrust Manager to Forward Messages to Splunk
To configure the CipherTrust Manager for forwarding audit log messages to Splunk:
These steps are described below.
Create Certificates for TLS Communication
This step is required if you want to establish secure communication between the Splunk server and the CipherTrust Manager over the TLS protocol. For TCP and UDP protocols, this step is not required.
Create the CA certificate, client certificate, and a private key. These are required when configuring Syslog over TLS on the CipherTrust Manager. A server certificate is also required that you need to upload to the Splunk server.
The following steps provide examples to create the required certificates and the private key using OpenSSL.
On the Linux shell:
Set the subject of the certificate.
SUBJ='/C=US/ST=Ca/L=SanJose/O=Testing/OU=QA/CN=Test'
Set the password.
PW='pass:password'
This password will be added to the
password
field of theinputs.conf
file.Generate a self-signed CA using OpenSSL.
openssl req -subj $SUBJ -new -days 365 -out ca.pem -passout $PW -batch -x509
The generated
ca.pem
file is the CA certificate. This certificate is stored at the current directory.Generate the server certificate and sign it using the CA certificate created in step 3. Run the following commands:
openssl genrsa -out server.key 2048 openssl req -key server.key -new -out server.req -batch echo 00 > file.srl openssl x509 -req -in server.req -CA ca.pem -CAkey privkey.pem -CAserial file.srl -out server.pem -passin $PW
The generated
server.pem
file is the server certificate. This certificate will be uploaded to the Splunk server (refer to Configure Splunk Server).Generate the client certificate and sign it using the CA certificate created in step 3. Run the following commands:
openssl genrsa -out client.key 2048 openssl req -subj $SUBJ -key client.key -new -out client.req -days 365 -passout $PW -batch openssl x509 -req -in client.req -CA ca.pem -CAkey privkey.pem -CAserial file.srl -out client.pem -passin $PW
The generated
client.pem
file is the client certificate. This certificate and the generatedclient.key
file will be uploaded to the CipherTrust Manager.
Enable Syslog on CipherTrust Manager
To enable Syslog on the CipherTrust Manager:
Open the Transparent Encryption application.
In the left pane, click Profiles.
Under Name, click the profile linked to your CTE client. The edit view of the profile is displayed.
Expand CLIENT LOGGING CONFIGURATION.
Select Syslog Enabled.
Click Apply.
The Syslog setting is now enabled on the CipherTrust Manager. Next, you need to configure the Syslog settings on the CipherTrust Manager.
Configure Syslog on CipherTrust Manager
To configure Syslog on the CipherTrust Manager:
Expand CLIENT SYSLOG CONFIGURATION.
Specify the Hostname or IP address of the Splunk server.
Enter the Port of the Splunk server.
Ensure the Message Format is RFC5424.
Select the Protocol. This protocol acts as the transport protocol for the Syslog connection.
TLS is the preferred communication protocol.
(Applicable to the TLS protocol) Specify the certificates and key created in Create Certificates for TLS Communication:
CA Certificate: Click Browse to select the CA certificate, for example,
ca.pem
.Certificate: Click Browse to select the signed client certificate, for example,
client.pem
.Private Key: Click Browse to select the private key, for example,
client.key
.
Click Apply.
The Syslog server settings are configured on the CipherTrust Manager. Finally, you need to configure the Splunk server, as described below.
Configure Splunk Server
To configure the Splunk server:
Log on to your Splunk server.
Open the
inputs.conf
file in any text editor. The file is located at:Windows:
C:\Program Files\Splunk\etc\system\local\inputs.conf
Linux:
/opt/splunk/etc/system/local/inputs.conf
Add the following content to the file:
[default] host = <Splunk Server IP Address> [tcp-ssl:<Splunk server port>] listenOnIPv6 = yes acceptFrom = * sourcetype = rfc5424_syslog [tcp:514] listenOnIPv6 = yes acceptFrom = * sourcetype = rfc5424_syslog [SSL] password = password requireClientCert = false serverCert = <location for the server certificate (a .pem file)>
For example, location for the server certificate is:
Windows:
C:\Program Files\Splunk\certs\server.pem
Linux:
/opt/splunk/certs/server.pem
Here,
server.pem
is a sample name for the server certificate. Replace it with the name of your server certificate.Refer to the Splunk Admin Manual for possible settings you can use to configure inputs in the
inputs.conf
file.Copy the server certificate (for example,
server.pem
) to theserverCert
location on the Splunk server. This is the same location you specified in theinputs.conf
file above.Restart the Splunk service. Refer to the Splunk Admin Manual for details.
The communication between the Splunk server and the CipherTrust Transparent Encryption Service has been established.
Now, the CTE audit logs are visible on the app dashboards. Refer to the documentation on the Main tab of the Thales Security Intelligence app on the Splunk server on using "drill down" in reports, VSI Data Model and Pivot, searches, and Thales Data Security Message Catalog.