Data Collection
Data collection can be accomplished in two ways:
-
Using the Splunk Add-on for Windows or the Splunk Add-on for Unix and Linux
-
Using the Delinea Add-on for Splunk
Using the Splunk Add-on for Windows or Splunk Add-on for Unix and Linux
If you are already using the Splunk Add-on for Windows and collecting Windows application logs on Indexers, you should already have the Splunk Forwarder and the Splunk Add-on for Windows installed on the Windows machine. Because Delinea logs are already part of the Windows application logs, you do not have to install anything else on the Splunk Forwarder. You should be able to see the Delinea data directly on the Indexers.
Similarly, you might already using the Splunk Add-on for Unix and Linux and sending specific UNIX and Linux logs to the Indexers. In this scenario, the Splunk Forwarder and the Splunk Add-on for Unix and Linux should be installed on the Unix machine. You can modify the inputs.conf file and add the Delinea-specific log directory and start forwarding that data to the Indexers.
Note that the data collection stanzas in the Delinea Add-on for Splunk remain disabled because they are not collecting data in this scenario. The expectation is that the Splunk Add-on for Windows and the Splunk Add-on for Unix and Linux are responsible for collecting data. In this case, the Delinea Add-on for Splunk is mainly used for field extractions and data normalization.
The requirements for component deployment are listed in the following table:
Machines and Splunk Components
| Windows Machines | Unix Machines | Indexers | Search Heads | |
|---|---|---|---|---|
| Splunk Universal Forwarder | Yes | Yes | --- | --- |
| Splunk Add-on for Windows | Yes | --- | --- | --- |
| Splunk Add-on for Unix and Linux | --- | Yes | --- | --- |
| Centrify Add-on for Splunk | --- | --- | Yes (Needed for indexed time field extractions) | Yes (Needed for indexed time field extractions and data normalization) |
| Centrify App for Splunk | --- | --- | --- | Yes |
Using the Delinea Add-on for Splunk
If you do not have the Splunk Add-on for Windows or the Splunk Add-on for Unix and Linux and would like to use the Delinea Add-on for Splunk for data collection, you must install:
-
Splunk Forwarder on the Windows and the Unix machines
-
Delinea Add-on for Splunk on both types of machines
The inputs.conf file in the Delinea Add-on for Splunk contains entries for various file locations for monitoring the syslog depending on the OS platform.
You must enable the corresponding input stanza based on the OS platform. Data gets collected on the Forwarder and is then forwarded to the Indexers where the data gets indexed. Note that data collection stanzas in the inputs.conf file remains disabled on the Search Heads.
If the UNIX and Linux syslogs are stored in binary, you must use the rsyslog daemon service to put logs under any of the standard syslog locations before configuring the app on the Forwarder.
The requirements for component deployment are listed in the following table:
| Machines and Splunk Components | ||||
|---|---|---|---|---|
| Windows Machines | Unix Machines | Indexers | Search Heads | |
| Splunk Universal Forwarder | Yes | Yes | --- | --- |
| Centrify Add-on for Splunk | Yes | Yes | Yes (Needed for indexed time field extractions) | Yes (Needed for indexed time field extractions and data normalization) |
| Centrify App for Splunk | --- | --- | --- | Yes |
