Skip to content

Splunk

Jump to bottom
Nathan Leach edited this page Nov 15, 2021 · 10 revisions

Forwarding Data to Splunk

The Splunk Universal Forwarder can be used to send data to Splunk Enterprise or Splunk Cloud. Please refer to the Splunk website for information about installing and configuring the Universal Forwarder.

Configuring the Universal Forwarder

Assuming an installed forwarder is able to connect to the desired Splunk instance, create the inputs.conf file at the appropriate location (e.g. \etc\apps\splunkclouduf\default\inputs.conf). In the inputs.conf file, create monitoring stanzas appropriate for each type of record. An example of inputs.conf:


[monitor://{path to logs}\CxAnalytixService...]
sourcetype=service

[monitor://{path to logs}\sast_scan_summary...]
sourcetype=sast_scan_summary

[monitor://{path to logs}\sast_scan_detail...]
sourcetype=sast_scan_detail

[monitor://{path to logs}\sast_project_info...]
sourcetype=sast_project_info

[monitor://{path to logs}\sast_policy_violations...]
sourcetype=sast_policy_violation

[monitor://{path to logs}\sca_scan_summary...]
sourcetype=sca_scan_summary

[monitor://{path to logs}\sca_scan_detail...]
sourcetype=sca_scan_detail

[monitor://{path to logs}\CxActivity_dbo_AuditTrail...]
sourcetype=cxactivity_audittrail

[monitor://{path to logs}\CxActivity_dbo_Audit_Scans...]
sourcetype=cxactivity_auditscans

[monitor://{path to logs}\CxActivity_dbo_Audit_Reports...]
sourcetype=cxactivity_auditreports

[monitor://{path to logs}\CxActivity_dbo_Audit_Queries...]
sourcetype=cxactivity_auditqueries

[monitor://{path to logs}\CxActivity_dbo_Audit_Projects...]
sourcetype=cxactivity_auditprojects

[monitor://{path to logs}\CxActivity_dbo_Audit_Presets...]
sourcetype=cxactivity_auditpresets

[monitor://{path to logs}\CxActivity_dbo_Audit_DataRetention...]
sourcetype=cxactivity_auditdataretention

Configuring the Source Types on the Server

The source types on the Splunk server need to be configured to appropriately parse JSON. This can be done using props.conf (only available in Splunk Enterprise) or through the Splunk UI. A source type should be created the matches each record output source types as defined in inputs.conf.

The following configuration options need to be added to each sourcetype:

LINE_BREAKER=([\r\n]+)
KV_MODE=json
TRUNCATE=0
SHOULD_LINEMERGE=false

Extracting Timestamps

The source data contains timestamp fields that can be used as the timestamp Splunk uses when indexing the data. Without specifying how to extract the timestamp properly from each source type, the timestamp will default to the timestamp when the data was indexed. This may work for current data, but data searches will also return historical data that is outside of the selected search time frame.

For the SAST Scan Summary, SAST Scan Detail, SCA Scan Summary, and SCA Scan Detail source types, this configuration option should be added:

TIME_PREFIX=^.*ScanFinished".+?"

For the SAST Project Info source type, this configuration option should be added:

TIME_PREFIX=^.*LastCrawlDate".+?"

For the SAST Policy Violation source type, this configuration option should be added:

TIME_PREFIX=^.*ViolationOccurredDate".+?"

For the Audit Trail source type, this configuration option should be added:

TIME_PREFIX=^.*EndTime".+?"

For the Audit_Scans, Audit_Reports, Audit_Queries, Audit_Projects, Audit_Presets, Audit_DataRetention, this configuration option should be added:

TIME_PREFIX=^.*TimeStamp".+?"

Copyright (c) 2020-2022 Checkmarx, All Rights Reserved

The contents of this Wiki only apply to CxAnalytix versions prior to 2.0.0. New releases include a PDF manual with complete documentation appropriate for each release version. This Wiki is no longer being maintained as of version 2.0.0.

Home

Data Analysis FAQ

Data Field Specification

Deployment Guide

Pseudo Transactions

Installing

Configuring

Troubleshooting

Developers

Platform Integrations

Clone this wiki locally