Onboarding Tripwire data into Splunk

NuHarbor Security is a leading national cybersecurity services firm, supporting the diverse needs of hundreds of clients with clear, comprehensive, and outcome-based solutions. We support only best-of-breed security technologies with thoroughly trained and vetted analysts and have been a provider of Splunk Professional Services and Splunk MSSP services since 2014. We’re commonly asked for guidance around onboarding Tripwire data to Splunk. This blog post will outline integration of the Tripwire Enterprise add-on for Splunk and how to properly set it up across an environment. The main purpose of the Tripwire Enterprise product is to help organizations with their IT configuration controls by detecting, assessing, reporting, and remediating file and configuration changes on their systems.

This procedural write-up assumes you have the following environmental conditions at a minimum.

Environment Assumptions

• Splunk
• An indexer
• A search head
• A heavy forwarder (HF)
• It’s also possible to set up on a search head.
• Tripwire Enterprise Console
• A single Tripwire Enterprise Console instance 

Tripwire Prerequisites

Before beginning the Splunk installation, make sure that an account with least privilege is created on the Tripwire Enterprise Console (TEC). This account should have the following privileges:

• Node management permissions: Create, Create ACL, Delete, Link, Load, Restart Agent Nodes, Update, Update Agent, Configurations, Upgrade, View
• Policy test management permissions: Load
• Log management permissions: Load
• Report management permissions: Load
• Miscellaneous permissions: Export settings

Procedure

We’ll be managing the add-on and configuration from the heavy forwarder so make sure that your HF can reach and communicate with the Tripwire Enterprise Console. You’ll need backend access to your HF to complete the setup.

1. Download the Tripwire Enterprise add-on for Splunk. You’ll see that the zip file comes with three items: an .spl file, a PDF with install instructions, and a Readme.txt.
   
   
2. To begin, log into your machine that hosts the heavy forwarder. Depending on your OS, create the directory /opt/teexports or C:\teexports. When the Tripwire add-on queries the Tripwire Enterprise Console, this directory is where it will write the resultant Security Configuration Management (SCM) and File Integrity Monitoring (FIM) logs to.
   
   
3. Next, log in to the Splunk interface on your heavy forwarder and go to Apps>Manage Apps>Install App from File. Upload the tripwire .spl file, and restart Splunk when it prompts you.
   
   
4. Navigate to the app setup page in Splunk. You’ll need to specify Tripwire Data Directory which is either /opt/teexports or C:\teexports and the parent directory where Splunk is installed (for Windows, C:\Program Files).
   
   
   
5. Next, specify which port Splunk should listen on for Tripwire syslog messages if you wish to receive syslog audit data from Tripwire Enterprise. The default syslog port is 514; make sure your Splunk instance is setup to receive on this port. You’ll also need to enter the IP address of the Tripwire Enterprise Console.
   
   
   
6. You’ll have the option to change the frequency with which SCM and FIM data is retrieved. Setting it to one hour is a good starting point. You’ll need to determine the best frequency for your environment.
   
   
7. Check off the “Monitor Data on Forwarders” check box under “Distributed Deployment” so that the log files on the HF are properly pulled in.
   
   
   
   
8. Finally, leave the rest of the default setup as is. Enter the credentials for the account you created on the Tripwire Enterprise Console and click save.
   
   
9. Once that’s complete, the Tripwire add-on will automatically generate the requisite supporting add-ons to deploy across the rest of your environment under /etc/apps/TA-tripwire_enterprise/appserver/addons. There you’ll find:

• • SA-tripwire_enterprise_IDX
  • TA-tripwire_enterprise_FWD

From /appserver/addons, copy the TA-tripwire_enterprise_FWD into the /apps directory on the HF. It’s fully self-contained and has all the necessary scripts to run queries against the TEC.

10. Copy the SA-tripwire_enterprise_IDX onto the /apps directory of your indexer.
    
    
11. Navigate back up to /etc/apps on your heavy forwarder and copy the entire TA-tripwire_enterprise directory (yes, the whole thing – add-ons and all!) off the HF and onto /apps on your search head. Below is where all your apps and add-ons should end up:

• • /apps/TA-tripwire_enterprise_FWD → Heavy Forwarder
  • /apps/ SA-tripwire_enterprise_IDX → Indexer
  • /apps/ TA-tripwire_enterprise → Search Head

Before you complete the setup, go into the inputs.conf on each of the add-ons and make sure they are pointing to the correct index.

12. Lastly, restart the indexer, then the search head, and then the heavy forwarder.

Troubleshooting

If logs still aren’t flowing at that point, review these troubleshooting steps:

• Confirm permissions on the TA-tripwire_enterprise_FWD are set correctly and disabled=0 is set for everything.
• Try hitting the Tripwire IP by using https://x.x.x.x/assetview/api/assetsfrom the heavy forwarder to see if it can reach it.
• Check $SPLUNK_HOME/var/log/splunk/tripwire.log for errors.
• Verify that your TEC is licensed for FIM and SCM data.
• Verify that you can log into the TEC with the Splunk account username and password.
• Check that Tripwire is set to send logs to UDP 514.
• Verify Tripwire version. This process requires 8.2.x or later.

For more information on how we can assist with configuring Tripwire as well as additional Splunk apps in your environment, visit our Splunk Managed Security Services page or contact us today!