Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

back

CTE Administration

Integrating CTE Logging with Splunk

search

Please Note:

Integrating CTE Logging with Splunk

The Thales Security Intelligence app for Splunk is created and published to the Splunkbase repository. This app provides a number of security intelligence reports and enables search operations that can be used to extract information from the log streams produced by CTE agents and the CipherTrust Manager.

Read the subsequent sections for instructions to integrate the CTE audit logging with Splunk.

Prerequisites

Before proceeding, ensure that:

  • CipherTrust Manager is up and running.

  • CTE clients are registered with the CipherTrust Manager.

  • You have a valid account on Splunkbase.

Integration Steps

To integrate CTE audit logs with Splunk:

  1. Install Splunk

  2. Install Thales Security Intelligence App

  3. Configure CipherTrust Manager to Forward Messages to Splunk

  4. Configure Splunk Server

After successful integration, the CTE agent logs will be forwarded to the configured Splunk server over the configured protocol.

Install Splunk

First of all, install the supported Splunk version on a target system. This release supports Splunk 7 and 8. Refer to the Splunk Installation Manual for details.

After you have installed Splunk successfully, install the Thales Security Intelligence app. Refer to Install Thales Security Intelligence App for details.

Install Thales Security Intelligence App

To install the Thales Security Intelligence app:

  1. Log on to your Splunkbase account.

  2. Search for the Thales Security Intelligence app.

  3. Install the app.

Refer to the Splunk documentation for details.

The next step is to configure the CipherTrust Manager to forward CTE audit log messages to Splunk. Refer to Configure CipherTrust Manager to Forward Messages to Splunk for details.

Configure CipherTrust Manager to Forward Messages to Splunk

To configure the CipherTrust Manager for forwarding audit log messages to Splunk:

  1. Create Certificates for TLS Communication

  2. Enable Syslog on CipherTrust Manager

  3. Configure Syslog on CipherTrust Manager

These steps are described below.

Create Certificates for TLS Communication

This step is required if you want to establish secure communication between the Splunk server and the CipherTrust Manager over the TLS protocol. For TCP and UDP protocols, this step is not required.

Create the CA certificate, client certificate, and a private key. These are required when configuring Syslog over TLS on the CipherTrust Manager. A server certificate is also required that you need to upload to the Splunk server.

The following steps provide examples to create the required certificates and the private key using OpenSSL.

On the Linux shell:

  1. Set the subject of the certificate.

    
    SUBJ='/C=US/ST=Ca/L=SanJose/O=Testing/OU=QA/CN=Test'
    

  2. Set the password.

    
    PW='pass:password'
    

    This password will be added to the password field of the inputs.conf file.

  3. Generate a self-signed CA using OpenSSL.

    
    openssl req -subj $SUBJ -new -days 365 -out ca.pem -passout $PW -batch -x509
    

    The generated ca.pem file is the CA certificate. This certificate is stored at the current directory.

  4. Generate the server certificate and sign it using the CA certificate created in step 3. Run the following commands:

    
    openssl genrsa -out server.key 2048
    openssl req -key server.key -new -out server.req -batch
    echo 00 > file.srl
    openssl x509 -req -in server.req -CA ca.pem -CAkey privkey.pem -CAserial file.srl -out server.pem -passin $PW
    

    The generated server.pem file is the server certificate. This certificate will be uploaded to the Splunk server (refer to Configure Splunk Server).

  5. Generate the client certificate and sign it using the CA certificate created in step 3. Run the following commands:

    
    openssl genrsa -out client.key 2048
    openssl req -subj $SUBJ -key client.key -new -out client.req -days 365 -passout $PW -batch
    openssl x509 -req -in client.req -CA ca.pem -CAkey privkey.pem -CAserial file.srl -out client.pem -passin $PW
    

    The generated client.pem file is the client certificate. This certificate and the generated client.key file will be uploaded to the CipherTrust Manager.

Enable Syslog on CipherTrust Manager

To enable Syslog on the CipherTrust Manager:

  1. Open the Transparent Encryption application.

  2. In the left pane, click Profiles.

  3. Under Name, click the profile linked to your CTE client. The edit view of the profile is displayed.

  4. Expand CLIENT LOGGING CONFIGURATION.

  5. Select Syslog Enabled.

  6. Click Apply.

The Syslog setting is now enabled on the CipherTrust Manager. Next, you need to configure the Syslog settings on the CipherTrust Manager.

Configure Syslog on CipherTrust Manager

To configure Syslog on the CipherTrust Manager:

  1. Expand CLIENT SYSLOG CONFIGURATION.

  2. Specify the Hostname or IP address of the Splunk server.

  3. Enter the Port of the Splunk server.

  4. Ensure the Message Format is RFC5424.

  5. Select the Protocol. This protocol acts as the transport protocol for the Syslog connection.

    TLS is the preferred communication protocol.

  6. (Applicable to the TLS protocol) Specify the certificates and key created in Create Certificates for TLS Communication:

    • CA Certificate: Click Browse to select the CA certificate, for example, ca.pem.

    • Certificate: Click Browse to select the signed client certificate, for example, client.pem.

    • Private Key: Click Browse to select the private key, for example, client.key.

  7. Click Apply.

The Syslog server settings are configured on the CipherTrust Manager. Finally, you need to configure the Splunk server, as described below.

Configure Splunk Server

To configure the Splunk server:

  1. Log on to your Splunk server.

  2. Open the inputs.conf file in any text editor. The file is located at:

    • Windows: C:\Program Files\Splunk\etc\system\local\inputs.conf

    • Linux: /opt/splunk/etc/system/local/inputs.conf

  3. Add the following content to the file:

     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    13
    14
    15
    16
    17
    [default]
    host = <Splunk Server IP Address>
    
    [tcp-ssl:<Splunk server port>]
    listenOnIPv6 = yes
    acceptFrom = *
    sourcetype = rfc5424_syslog
    
    [tcp:514]
    listenOnIPv6 = yes
    acceptFrom = *
    sourcetype = rfc5424_syslog
    
    [SSL]
    password = password
    requireClientCert = false
    serverCert = <location for the server certificate (a .pem file)>
    

    For example, location for the server certificate is:

    • Windows: C:\Program Files\Splunk\certs\server.pem

    • Linux: /opt/splunk/certs/server.pem

    Here, server.pem is a sample name for the server certificate. Replace it with the name of your server certificate.

    Refer to the Splunk Admin Manual for possible settings you can use to configure inputs in the inputs.conf file.

  4. Copy the server certificate (for example, server.pem) to the serverCert location on the Splunk server. This is the same location you specified in the inputs.conf file above.

  5. Restart the Splunk service. Refer to the Splunk Admin Manual for details.

The communication between the Splunk server and the CipherTrust Manager has been established.

Now, the CTE audit logs are visible on the app dashboards. Refer to the documentation on the Main tab of the Thales Security Intelligence app on the Splunk server on using "drill down" in reports, VSI Data Model and Pivot, searches, and Thales Data Security Message Catalog.