Integrating Splunk Enterprise

Splunk Enterprise technology analyzes business and website data, manages applications, ensures compliance, and enhances security.

You can integrate Splunk Enterprise with the Delinea Platform by using webhooks.

Prerequisites

Ensure you have all the required accounts and utilities before starting the integration:

• Account on the Delinea Platform

• Account in Splunk Enterprise

• Installed OpenSSL on local computer

• Installed Docker container for Splunk Enterprise

Setting Up Splunk Enterprise

To configure Splunk Enterprise, create an SSL certificate and generate a private key with the appropriate files to combine your SSL/TLS certificate, intermediate certificates (if applicable), and the private key into a single file.

Creating a Certificate in Zero SSL

You can create an SSL certificate from any certificate provider. This section gives instructions for creating an SSL certificate issued by Zero SSL.

1. Go to Zero SSL.

2. Open the SSL Certificates panel.

3. Click New Certificate.

4. Provide a valid domain for the certificate, and click Next Step until the Verify Domain dialog appears.

   

5. In the Verify Domain dialog, select an HTTP File Upload and follow the instructions.

   

6. Click Next Step.

7. In the Verify Domain dialog, check the details for the certificate verification and click Verify Domain.

   

8. Once done, go to the Certificates panel, select your certificate, and download it.

   

Configuring a Certificate in OpenSSL

To configure a certificate in OpenSSL, generate private key (private.pem), caCertificateFile (certificate.pem), and full chain (full_chain.pem) files.

Generating a Private Key

To generate a private key file in OpenSSL:

1. Copy the downloaded certificate to the Splunk directory on your local computer. For example:

   C:/programfiles/Splunk/etc/auth/sloccerts

   

2. Verify that you have OpenSSL installed on your computer.

3. Depending on your operating system, open a terminal or a command prompt.

4. Navigate to the directory where you want to generate a private key. You can use the cd command to change directories.

   

5. Run the following command to generate a private key:

   openssl genkey -algorithm RSA - out private.key

   The command generates a private key using the RSA algorithm and saves it to a private key file. You can adjust the algorithm or key size according to your preferences.

Generating a caCertificateFile

To generate a caCertificateFile, create a Certificate Signing Request (CSR) and then self-sign it. Open a terminal or a command prompt and run the following commands:

1. To generate a Certificate Signing Request (CSR):

   openssl req -new -key ca_private_key.pem -out ca_csr.pem

   This command generates a Certificate Signing Request (CSR) using the private key ca_private_key.pem and saves it to ca_csr.pem.

2. To self-sign a Certificate Signing Request (CSR):

   openssl x509 -req -days 365 -in ca_csr.pem -signkey ca_private_key.pem -out ca_certificate.pem

Generating a full_chain.pem file

A full_chain.pem file typically combines your SSL/TLS certificate, intermediate certificates (if applicable), and the private key into a single file. The order of the certificates is crucial for proper functioning.

Assuming you have the following components:

• Your SSL/TLS certificate (for example, your_certificate.crt)

• Intermediate certificate(s) (if provided by your Certificate Authority)

• Your private key (for example, a private.key)

To generate a full_chain.pem file using these components:

1. Run the following command in the Splunk directory on your computer. Replace your certificate.crt with the actual name of your SSL/TLS certificate file, intermediate.crt with the name of any intermediate certificate file (if applicable), and private.key with the name of your private key file:

   cat your_certificate.crt intermediate.crt private.key > full_chain.pem

   Ensure you concatenate the files correctly: certificate, intermediate certificate(s), and finally the private key. The resulting full_chain.pem file should contain all the necessary information in the correct order.

2. After you create the full_chain.pem file, use it in your Splunk configuration for SSL/TLS settings, including configuring the sslRootCAPath parameter to point to this file.

3. Go to the Splunk directory on your local computer.

4. Open the inputs.conf file and specify the following data:

   [http]
   disabled = 0
   index = main
   enableSSL = 1
   port = [port]
   privKeyPath = $SPLUNK_HOME/etc/auth/sloccerts/private.key
   serverCert = $SPLUNK_HOME/etc/auth/sloccerts/full_chain.pem
   caCertFile = $SPLUNK_HOME/etc/auth/sloccerts/certificate.pem
   sslPassword = [SSL password]
   db17Z

5. Open the Web.conf file and specify the following data:

   [settings]
   enableSplunkWebSSL = true
   httpport = [http port]
   enableSplunkWebSSLDebug = true

6. Restart your Splunk server.

Integrating Webhooks and Splunk Enterprise

After you have generated and managed certificates, setting up integration between Splunk Enterprise and Delinea Platform webhooks is available.

Configuring Splunk Enterprise HTTP Event Collector

1. Install a Docker container to run Splunk Enterprise inside it. For information on Docker container installation, see the Splunk Enterprise official documentation.

2. Open a Docker container and run Splunk Enterprise with an extra port exposed for HTTP Event Collector (HEC) using the following command:

   docker run -d -p 8000:8000 -p 8088:8088 -e SPLUNK_START_ARGS='--accept-license' -e SPLUNK_PASSWORD=[password] splunk/splunk:latest

3. Log in to your Splunk Enterprise account with admin permissions.

4. On the Quick links tab, click Add Data.

   

5. Next, click Monitor.

   

6. From the displayed left-side panel, select HTTP Event Collector.

   

7. In the HTTP Event Connector form, specify the required details and click Next.

   

8. Click Next, check the displayed details, and click Review.

   

9. Click Submit.

   

10. Go to Settings > Add Data > Data inputs.

    

11. In the Data inputs dialog box, click HTTP Event Collector.

    

12. In the HTTP Event Collector dialog box, copy a Token Value.

    This Token Value you will use during a webhook creation in the Delinea Platform.

    

Creating Webhooks for Splunk Enterprise

1. Log in to the Delinea Platform.

2. Click Settings from the left navigation.

3. Click Webhooks under General Setup.

4. On the Webhooks page, click Create Webhook.

5. Specify necessary details, and in the Value field, enter the Token Value created for HTTP Event Connector in Splunk Enterprise.

   

6. Click Save.

7. Verify the configured webhook on the Delinea Platform. For instructions, see Testing a webhook.

Troubleshooting

Issue:

An SSL error as a result of the webhook test.

Solution:

1. Depending on your operating system, open a terminal or a Command prompt.

2. Navigate to the Splunk directory on your computer and insert the following data:

   var handler = new HttpClientHandler

   {

   ClientCertificateOptions = ClientCertificateOption.Manual,

   ServerCertificateCustomValidationCallback =

   (httpRequestMessage, cert, cetChain, policyErrors) => true

   };

3. Go back to the Delinea Platform and test the webhook created for Splunk Enterprise again.

4. Ensure that the webhook for Splunk Enterprise is configured correctly by receiving a success alert.

Verifying Logs for Splunk Webhook

When you have ensured that webhooks are correctly configured for Splunk Enterprise, you can verify that the expected logs were received using webhooks.

1. Log in to your Splunk Enterprise account with admin permissions.

2. From Apps, select Search & Reporting.

   

3. In New Search, specify "Delinea" and press Enter.

4. Verify that the log is displayed.