How To: Setting up Splunk in Venafi

Applies to:

Up to version 19.4.x of the Venafi Trust Protection Platform(TPP)

Splunk Log Channel Driver has been deprecated in the Venafi Trust Protection Platform v20.1:
In 19.3, we made significant enhancements to our Syslog driver which we believe, based on feedback from customers and Splunk themselves, provides an overall better integration path that the Splunk driver which is delivering event data in a manner that is not common for enterprise applications.  Thus the Splunk driver has been removed from the Venafi Platform. After upgrading to Trust Protection Platform version 20.1, existing Splunk driver objects appear as a question mark. (?). They'll no longer function, but you'll have the ability to delete them.

Summary:

Venafi TPP has a Channel driver for sending logs to Splunk. Events are formatted using the Splunk Common Information Model to enable effective analysis and reporting within Splunk. This KB will walk you through the steps to setup this Splunk driver and give some examples of common problems.

More Information:

Prerequisite information needed:

1. Hostname or IP address of Splunk Server
2. The Management Port of the Splunk Server

NOTE: If the management port has been changed from the default 8089, enter the new port configured on the Splunk server for management access.

3. Account within Splunk with edit_tcp permission

Prerequisite configuration:

1. Create a credential for the Splunk account information.
2. Login to WebAdmin with an account with permission to create a new credential.
3. Select a policy from the policy tree, right-click and add a username credential.
4. Enter the Splunk account information and click the Save button.

Setting up the Splunk driver:

1. Login to the WebAdmin interface of Trust Protection Platform with a user that has permissions to create objects under the Logging tree.
2. Navigate to the Logging tree and add a new Splunk channel by right-clicking the Channels object and adding a Splunk channel.

 Enter the fields with the prerequisite information gathered including the newly created Splunk credential.

1. Enter a Name for the Splunk channel.
2. Enter the Host name or IP address of the Splunk server.
3. (Conditional) If the management Port on the Splunk server has been changed from the default, enter the port. The default is 8089.
4. Select the user Credential object that contains the credentials to authenticate to the Splunk server.
   
   NOTE: The account in Splunk that matches these credentials must have the edit_tcp permission. No other permissions should be required.
   
   
5. (Optional) Change the Source name. The default source is Venafi Trust Protection Platform. In Splunk, the source is used to identify the source of events.
6. (Optional) Set the Timeout value.
   
   This is the amount of time that Trust Protection Platform will attempt to submit an event if Splunk is not responding. If the timeout is exceeded, Trust Protection Platform will stop attempting to submit the event and will log an event in the local log indicating the failure and will attempt to reconnect on the next event destined for Splunk
   
   
7. (Optional) Set the Index.
   
   This can be set if a separate Splunk index is desired for Trust Protection Platform events.
   
   NOTE: If an index is not specified, an index called Venafi is created. However, if for some reason the index cannot be created, the index will fail to initialize. Enable the debug log to get more information.
   
   
8. (Optional) Set the driver to Verbose mode.
   
   

   This will include a verbose description of each event, in addition to the base event information. The following shows examples of an events with only base event data and with verbose data added.
   
   Base:
   
   Verbose:
   

9. When you're done, click Save.