Install the Illumio App for Splunk in a Distributed Environment
The following table describes the apps to deploy when installing within a Splunk distributed environment.
App Name | Search Head | Indexer | Heavy Forwarder/Data Collection Node |
|---|---|---|---|
Data Input (also known as Modular Input or REST Modular Input) | Configure data input with API keys and data collection disabled (not checked) | Configure data input with API keys and data collection disabled (not checked) | Configure data input with API keys and data collection enabled |
Illumio App for Splunk | Yes | Not applicable | Not applicable |
Illumio Technology Add-On for Splunk | Yes | Optional (if you want invalid JSON filtered) | Yes |
The deployment procedure varies depending on whether you are using Heavy Forwarder or Splunk Universal Forwarder.
Use Splunk Heavy Forwarder
In a distributed environment with Splunk Heavy Forwarder:
On the search head, install the Illumio App for Splunk and the Illumio Technology Add-On for Splunk.
On the Splunk Heavy Forwarder, install the Illumio Technology Add-On for Splunk.
Use Splunk Universal Forwarder
In a distributed environment with Splunk Universal Forwarder:
Set up a data collection node with Splunk Universal Forwarder.
Configure the PCE to forward data from all nodes to the Splunk Universal Forwarder.
Configure the Splunk Universal Forwarder to send the data to Splunk Indexer or Splunk Heavy Forwarder.
Use the following procedure:
Configure the Splunk Universal Forwarder to collect data from the Illumio PCE:
Create a TCP stanza in the
$SPLUNK_HOME/etc/system/local/inputs.conffile.[tcp://<PORT>] index=<INDEX-NAME> sourcetype=illumio:pce
Configure the Splunk Universal Forwarder to send the data to the Splunk Indexer. Execute the following command on the Splunk Universal Forwarder (for
<IP>:<PORT>, fill in the Splunk Indexer IP and Listening Port:$SPLUNK_HOME/bin/splunk add forwardserver <IP>:<PORT>Configure the Splunk Indexer to receive data from SUF. Create the following stanza in the
$SPLUNK_HOME/etc/system/local/inputs.conffile.[splunktcp://<PORT>]
In a distributed environment:
If you have a separate data-collection node, be sure that it is running a full Splunk Enterprise version.
Complete the Data Input configuration on the data-collection node (Heavy Forwarder) with API keys and data collection enabled.
On all other nodes, configure the data input with the API keys and data collection disabled.
In setups where a non-default index is used, you may need to configure the
Illumio_get_indexsearch macro with the "index=Illumio" definition. See Splunk Index, Source, and Source Types.
Using Splunk Heavy Forwarder
In a distributed environment with Splunk Heavy Forwarder:
On the search head, install the Illumio App for Splunk and TA-Illumio.
On the Splunk Heavy Forwarder, install TA-Illumio.
Using Splunk Universal Forwarder
In a distributed environment with Splunk Universal Forwarder:
Set up a data collection node with Splunk Universal Forwarder.
Configure the PCE to forward data from all nodes to the Splunk Universal Forwarder.
Configure the Splunk Universal Forwarder to send the data to Splunk Indexer or Splunk Heavy Forwarder.
Configure the Splunk Universal Forwarder to collect data from the Illumio PCE.
Create a TCP stanza in the
$SPLUNK_HOME/etc/system/local/inputs.conffile.[tcp//<PORT>] index=<INDEX-NAME> sourcetype=illumio:pce
Configure the Splunk Universal Forwarder to send the data to the Splunk Indexer. Execute the following command on the Splunk Universal Forwarder (for <IP>:<PORT>, fill in the Splunk Indexer IP and Listening Port):
$SPLUNK_HOME/bin/splunk add forwardserver <IP>:<PORT>
Configure the Splunk Indexer to receive data from SUF. Create the following stanza in the
$SPLUNK_HOME/etc/system/local/inputs.conffile.[splunktcp://<PORT>]
In a distributed environment:
If you have a separate data collection node, be sure it is running a full Splunk Enterprise version.
Complete the Data Input configuration on the data collection node (Heavy Forwarder) with API keys and data collection enabled.
On all other nodes, configure the data input with the API keys and data collection disabled.
In setups where a non-default index is used, you may need to configure the search macro Illumio_get_index with a definition of “index=Illumio”. Use the steps in Splunk Index, Source, and Source Types.