Skip to main content

Integrations

Configure the Illumio App for Splunk

After you have installed the Illumio Technology Add-On for Splunk, use the following procedure to configure Splunk to receive the data from the Illumio PCE syslog and to get workload and label information indexed into the Splunk App using the Illumio ASP REST API.

  1. Log in to the Splunk web app and navigate to Settings > Data inputs.

  2. Locate Illumio and click it.

    Enable_Data_Inputs.png

  3. Click New to create the Data Input (Modular Input) for ingesting data from the Illumio PCE to the Illumio App for Splunk.

    Note

    If you have multiple PCEs sending data to a single Splunk instance, then you need to have a different Data Input with a different TCP port for each PCE.

    New_Data_Input_3.2.0

  4. In the Modular Input page, enter the configuration information using the following table:

    Input

    Mandatory or Optional

    Description

    Name

    Mandatory

    The name to identify the Illumio PCE.

    Supercluster Leader/PCE URL

    Mandatory

    Enter the PCE URL including HTTPS and the port number. (If the provided PCE is part of the supercluster, it must be the leader of the supercluster.)

    For example:

    https://illumiopce.company.com:443/

    API Authentication Username

    Mandatory

    The API Authentication Username used to authenticate with the Illumio PCE. To generate the API key, log into the Illumio PCE Web Console and click Username > My API Keys > Add New.

    For example: api_16175f6af766fcd7b

    If you do not specify API Username and API Secret, the PCE Operations and Workload Operations dashboards will not work.

    API Authentication Secret

    Mandatory

    The API Secret is the password for an API key that is used to authenticate with the PCE. The API key generates the API Secret.

    For example:

    4ed8ff8a5c40201dc52c89a59936f7b1003b950e0027204b2aaaa633ba040d22

    TCP Port Number for incoming syslog from PCE

    Optional

    The Splunk server port on which the Splunk App should listen for syslog messages from the PCE. The PCE should be configured to forward syslog to this port on the Splunk server. If you are creating multiple Data Inputs, use a different TCP port for each PCE.

    For example: 5014

    Port Scan configuration: Scan interval in seconds

    Mandatory

    The minimum time duration of connections between two workloads to determine a port scan.

    For example, if two workloads show flows between 10 unique ports within 60 seconds, then a port scan is registered.

    Default value: 60 seconds.

    Port Scan configuration: Unique ports threshold

    Mandatory

    The minimum threshold of unique ports between two workloads to determine a port scan.

    For example, if two workloads show flows between 10 unique ports within 60 seconds, then a port scan is registered.

    Default value: 10 ports.

    Labels to quarantine Workloads

    Optional

    Comma-separated list of App, Environment, and Location label types. Whitespaces are not allowed in the comma-separated list. Labels must be supplied with Application, Environment, Location as the exact order. These labels should exist on the PCE with the appropriate policy to quarantine workloads. These labels will be applied while quarantining the workloads using the App or AR action.

    Organization ID

    Optional

    For Illumio Data Center (on-premises) customers, the Organization ID is 1.

    For Illumio Cloud customers, the Organization ID can vary. To determine the Organization ID, log into the Illumio PCE Web Console, click the administrator's name in the top-right corner, and then click My API keys > Add New . The Create New API dialog shows the Organization ID.

    IP addresses of the PCE Nodes

    Optional

    Comma-separated IP addresses (private, public) of all of the nodes managed by this PCE instance. You must provide all IP addresses. Use only commas and do not add space characters.

    Data Collection

    Mandatory

    When enabled, the TA will collect data on this instance. If you are using a Splunk Cluster, this should be enabled on the indexer node but disabled on the search head nodes.

    Default: Enabled

    Note

    When you are invoking Quarantine Workload with Splunk Cluster, you need to configure the TA-Illumio search head node with data collection disabled and the TA-Illumio data-collection indexer node enabled.

  5. If necessary, enter the optional settings in the following table:

    Input Parameter

    Mandatory or Optional

    Description

    Interval

    Optional

    Interval between REST API calls made by the Splunk App to refresh data from the PCE. The minimum value is 3600 seconds (60 minutes).

    Default: 3600

    Interval

    Optional

    Interval for the polling between AWS and the Splunk App. The default value is 1800 seconds (30 minutes)

    Host

    Optional

    Host information added into events to be indexed by Splunk. Illumio recommends using the FQDN of the Splunk server.

    Index

    Optional

    For use by advanced Splunk users. Change the index name under which received events are categorized. If you use a non-default (custom) index such as "Illumio", create the index manually and modify the search macros to return "index=illumio". See Splunk Index, Source, and Source Types.

    Custom (Self-Signed or Local CA) Certificate Path

    Optional

    If you use a local certificate authority SSL certificate or a self-signed SSL certificate with the PCE, you need to upload the SSL Certificate to the Splunk server and provide the full path to the directory.

    For correct SSL operation, the Splunk server must be able to fully trust the PCE's certificate. If you are using a local certificate authority or a certificate issued by a secondary certificate authority, you must update the Splunk server certificate authority trust chain to verify the certificate presented by the PCE. For example, on Linux, use the update-ca-trust tool.

    Allowed port scanner IP addresses

    Optional

    Whitelist IP addresses of known port scanners, such as Qualys hosts. These addresses are excluded when determining port scans, which avoids false positives in the Port Scans panels.

  6. Click Next after you have added the values for data input (modular input).

    Illumio_Data_Inputs_3.2.0

  7. Look for a success message displayed as a header in the setup page. This indicates that the credentials passed validation. If the credentials were incorrect or there were validation errors, a failure message displays. See Troubleshooting.

About Intervals for On-Premises and Cloud Deployments

The data flow for On-Premises and Cloud is similar, but with a Cloud deployment, there are more servers to collect, receive, and send the data flow logs and then push them to the S3 bucket. Whatever the PCE logs collect is pushed to S3.

The S3 bucket can be managed by Illumio or you can create and manage it using the CloudFormation template. For more information, see Flow Logs and Auditable Event Logs for Illumio Secure Cloud PCE.

Note that the interval for the VEN to send traffic data logs is always 10 minutes.