Venafi Trust Protection Platform 20.1 and above
Setup of Splunk channel after depreciation of the old Splunk channel driver in Venafi Trust Protection Platform (TPP).
After 20.1 TPP no longer supports the old Splunk Channel driver:
TPP now supports using the Syslog driver to send Venafi Event (logging) data to Splunk. With this we have added the JSON format to make browsing through the events easier and more human readable.
However, after this addition it has been found that a default configuration of Splunk will tend to clump up events based on the time that Splunk receives the events from Venafi.
Splunk has many ways to configure source data this is just a basic way to setup Splunk parse the event data properly.
NOTE: Before proceeding, the below is required
- Logging in user must have required Splunk permissions
- Splunk may be using a Generic Source type so creating a new one will be necessary just for Venafi.
- Notification Rule(s) must be created in TPP Logging Tree to send specified events to Splunk.
- In order to send all events, create a notification rule to send Event IDs between 0 and 429496729 to the Splunk Syslog Channel.
Here are the setup steps in Splunk
First Setup new Source Type
- Setup a new Source Type. Login and click settings and Source Types. (in my example I am cloning the default and building one for Venafi based off the existing _json source type)
- Clone the existing _json Source Type.
- Give the new Source Type a name, I named it _json_venafi to keep it simple and descriptive. Scroll down for the change that I made to stop the clumping of events on input timestamp.
- Click the Advanced tab and fill the Timestamp fields value with "time_stamp" and click save.
Second Modify the Data Input for the UDP stream that is accepting the syslog from Venafi and point it to the new Source Type
- Click settings and then click Data Inputs.
- Click on UDP type of Data Inputs to get the list of UDP Inputs.
- Click on the Data Input that Venafi is currently using.
- Change the Source Type name to the one we created in the first part of this guide.
The output is different from the previous syslog driver. Instead, you will see a json formatted text.
Splunk Syslog output without these changes causes clumping on timestamps when the events were received by Splunk
What you should now see after the change for all events from Venafi in Splunk
To see additional values the "+" can be clicked to expand the data.