Integrating CTE Logging with Splunk
The Thales Security Intelligence app for Splunk is created and published to the Splunkbase repository. This app provides a number of security intelligence reports and enables search operations that can be used to extract information from the log streams produced by CTE agents and the CipherTrust Manager.
Read the subsequent sections for instructions to integrate the CTE audit logging with Splunk.
Before proceeding, ensure that:
CipherTrust Manager is up and running.
CTE clients are registered with the CipherTrust Manager.
You have a valid account on Splunkbase.
To integrate CTE audit logs with Splunk:
After successful integration, the CTE agent logs will be forwarded to the configured Splunk server over the configured protocol.
First of all, install the supported Splunk version on a target system. This release supports Splunk 7 and 8. Refer to the Splunk Installation Manual for details.
After you have installed Splunk successfully, install the Thales Security Intelligence app. Refer to Install Thales Security Intelligence App for details.
Install Thales Security Intelligence App
To install the Thales Security Intelligence app:
Log on to your Splunkbase account.
Search for the Thales Security Intelligence app.
Install the app.
Refer to the Splunk documentation for details.
The next step is to configure the CipherTrust Manager to forward CTE audit log messages to Splunk. Refer to Configure CipherTrust Manager to Forward Messages to Splunk for details.
Configure CipherTrust Manager to Forward Messages to Splunk
To configure the CipherTrust Manager for forwarding audit log messages to Splunk:
These steps are described below.
Create Certificates for TLS Communication
This step is required if you want to establish secure communication between the Splunk server and the CipherTrust Manager over the TLS protocol. For TCP and UDP protocols, this step is not required.
Create the CA certificate, client certificate, and a private key. These are required when configuring Syslog over TLS on the CipherTrust Manager. A server certificate is also required that you need to upload to the Splunk server.
The following steps provide examples to create the required certificates and the private key using OpenSSL.
On the Linux shell:
Set the subject of the certificate.
Set the password.
This password will be added to the
passwordfield of the
Generate a self-signed CA using OpenSSL.
openssl req -subj $SUBJ -new -days 365 -out ca.pem -passout $PW -batch -x509
ca.pemfile is the CA certificate. This certificate is stored at the current directory.
Generate the server certificate and sign it using the CA certificate created in step 3. Run the following commands:
openssl genrsa -out server.key 2048 openssl req -key server.key -new -out server.req -batch echo 00 > file.srl openssl x509 -req -in server.req -CA ca.pem -CAkey privkey.pem -CAserial file.srl -out server.pem -passin $PW
server.pemfile is the server certificate. This certificate will be uploaded to the Splunk server (refer to Configure Splunk Server).
Generate the client certificate and sign it using the CA certificate created in step 3. Run the following commands:
openssl genrsa -out client.key 2048 openssl req -subj $SUBJ -key client.key -new -out client.req -days 365 -passout $PW -batch openssl x509 -req -in client.req -CA ca.pem -CAkey privkey.pem -CAserial file.srl -out client.pem -passin $PW
client.pemfile is the client certificate. This certificate and the generated
client.keyfile will be uploaded to the CipherTrust Manager.
Enable Syslog on CipherTrust Manager
To enable Syslog on the CipherTrust Manager:
Open the Transparent Encryption application.
In the left pane, click Profiles.
Under Name, click the profile linked to your CTE client. The edit view of the profile is displayed.
Expand CLIENT LOGGING CONFIGURATION.
Select Syslog Enabled.
The Syslog setting is now enabled on the CipherTrust Manager. Next, you need to configure the Syslog settings on the CipherTrust Manager.
Configure Syslog on CipherTrust Manager
To configure Syslog on the CipherTrust Manager:
Expand CLIENT SYSLOG CONFIGURATION.
Specify the Hostname or IP address of the Splunk server.
Enter the Port of the Splunk server.
Ensure the Message Format is RFC5424.
Select the Protocol. This protocol acts as the transport protocol for the Syslog connection.
TLS is the preferred communication protocol.
(Applicable to the TLS protocol) Specify the certificates and key created in Create Certificates for TLS Communication:
CA Certificate: Click Browse to select the CA certificate, for example,
Certificate: Click Browse to select the signed client certificate, for example,
Private Key: Click Browse to select the private key, for example,
The Syslog server settings are configured on the CipherTrust Manager. Finally, you need to configure the Splunk server, as described below.
Configure Splunk Server
To configure the Splunk server:
Log on to your Splunk server.
inputs.conffile in any text editor. The file is located at:
Add the following content to the file:
[default] host = <Splunk Server IP Address> [tcp-ssl:<Splunk server port>] listenOnIPv6 = yes acceptFrom = * sourcetype = rfc5424_syslog [tcp:514] listenOnIPv6 = yes acceptFrom = * sourcetype = rfc5424_syslog [SSL] password = password requireClientCert = false serverCert = <location for the server certificate (a .pem file)>
For example, location for the server certificate is:
server.pemis a sample name for the server certificate. Replace it with the name of your server certificate.
Refer to the Splunk Admin Manual for possible settings you can use to configure inputs in the
Copy the server certificate (for example,
server.pem) to the
serverCertlocation on the Splunk server. This is the same location you specified in the
Restart the Splunk service. Refer to the Splunk Admin Manual for details.
The communication between the Splunk server and the CipherTrust Manager has been established.
Now, the CTE audit logs are visible on the app dashboards. Refer to the documentation on the Main tab of the Thales Security Intelligence app on the Splunk server on using "drill down" in reports, VSI Data Model and Pivot, searches, and Thales Data Security Message Catalog.