VIRSEC APP CONFIGURATION IN SPLUNK
Follow the below steps to install Virsec App in Splunk
-
Virsec App is added to the Splunk App Store. Download the file virsec-security-platform-threat-dashboard_100.tgz from the URL: https://splunkbase.splunk.com/app/4143/
-
Click Find More Apps
-
Navigate to Apps > Manage Apps
-
Click Install App from File
-
Upload the file virsec-security-platform-threat-dashboard_100.tgz from the local system. Click Upload
-
Click Restart Now to restart the splunk server
-
Click OK on the confirmation pop-up message
-
Click OK to display the login page
-
Log in to Splunk again with valid credentials
-
Navigate to Apps > Splunk for Virsec
-
The below page is displayed
-
From VSP 2.9 onwards, Splunk can be configured with SSL being enabled or disabled
-
Follow the below steps to enable or disable SSL on the Splunk server:
-
Navigate to Settings > Data Inputs. Click HTTP Event Collector
-
Click Global Settings
-
Enable or disable the checkbox Enable SSL as required
-
-
If a switch from HTTPs to HTTP is required:
-
Disable the checkbox of Enable SSL on the Splunk server
-
Delete the Splunk configuration from Administration > Configurations in CMS
-
Add the below property in the file: /opt/virsec/cms/z-server/config/application.properties in the siem-splunk-service container:
siem.splunk.config.event.collector.disable.certificate=true
-
Restart the siem-splunk-service using the docker command:
restart siem-splunk-service
-
Reconfigure the Splunk information in CMS under Administration > Configurations
-
-
During upgrade from lower versions to VSP 2.9 or Above, follow the below steps:
-
Enable the checkbox of Enable SSL on the Splunk server
-
Delete the Splunk configuration from Administration > Configurations in CMS
-
Reconfigure the Splunk information in CMS
-