Page tree

Contents

To add Splunk as a destination in the Cloud Service Portal, complete the following:

  1. Log in to the Cloud Service Portal.
  2. Click Manage -> Data Connector.
  3. On the Destination Configuration tab, from the Create drop-down list, choose Splunk.
  4. In the Create Splunk Destination Configuration dialog, complete the following:
    • Name: Enter the name of the destination. Select a name that best describes the destination and can be distinguished from other destinations. The field length is 256 characters.
    • Description: Enter the description of the destination. The field length is 256 characters.
    • State: User the toggle switch to enable or disable the destination configuration. By default, the State is disabled. If the destination configuration is disabled, you will not be able to select this destination when creating a traffic flow.
  5. In the SPLUNK DETAILS section, complete the following:
    • FQDN/IP: Enter the FQDN or the IP address of the Splunk indexer to which you want the Data Connector to send data.
    • Port: Enter the receiving port number that is configured for the Splunk indexer. Although 9997 is configured as the default port number, ensure that you input the port number that is configured for the Splunk indexer.
    • Index Name: Enter the name of the Splunk index. An index is a collection of directories and files that are located under $SPLUNK_HOME/var/lib/splunk.
    • Log Format: Choose one of the following log format from the drop-down menu:
      • Infoblox Legacy: Choose this to send data in CSV format.
      • Splunk CIM: Choose this to send data in Splunk Common Information Model format.

Depending on your selection, the log messages you have chosen will be sent to Splunk in the selected format.

    • Insecure Mode: Based on the mode that you intend to use for data transport, perform one of the following:
      • Insecure mode: By default, the Insecure Mode checkbox is enabled. Retain the selection if you intend to use the insecure mode.
      • Secure mode: Clear the Insecure Mode checkbox and complete the following steps to upload certificates for secure transport.
  1. (For secure mode only) In the Splunk Forwarder Certificate section, complete the following:
    • Forwarder Certificate: Click Select file, browse to the respective path, and upload the forwarder certificate for the Splunk forwarder. You need to first generate a certificate request in .PEM format. This certificate request must be signed by the third-party Certification Authority for you to get a forwarder certificate. For more information, refer to the Splunk documentation.
    • Certificate Key Passphrase: Enter the key passphrase for the certificate.
  2. (For secure mode only) In the Splunk CA Certificate section, click Select file, browse to the respective path, and upload the CA signed certificate for the Splunk indexer.

  3. Click Save & Close to create the destination.

For information on updating the Splunk server's configuration files, see Updating the Configuration Files.


To view the deployment guide for setting up Splunk enterprise, see the Infoblox BloxOne Threat Defense Cloud Add-on for Splunk Enterprise deployment guide. 

  • No labels

This page has no comments.