NuHarbor Security is a premier national provider of Splunk Professional Services and Splunk MSSP services. We’re commonly asked for Tripwire guidance for Splunk data onboarding so in this blog post will be discussing integrating the Tripwire Enterprise Add-On for Splunk as well as how to properly set it up across an environment. The main purpose of the Tripwire Enterprise product is to help organizations with their IT configuration controls by detecting, assessing, reporting and remediating file and configuration changes on their systems.
This procedural write-up assumes that you have at least the following environmental conditions:
- An Indexer
- A Search Head
- A Heavy Forwarder
- It’s also possible to setup on a Search Head.
- Tripwire Enterprise Console
- A single Tripwire Enterprise Console instance.
Before beginning the Splunk installation, make sure that an account with “least privilege” is created on the Tripwire Enterprise Console (TEC). This account should have the following privileges:
- Node Management permissions: Create, Create ACL, Delete, Link, Load, Restart Agent Nodes, Update, Update Agent, Configurations, Upgrade, View
- Policy Test Management Permissions: Load
- Log Management Permissions: Load
- Report Management Permissions: Load
- Miscellaneous Permissions: Export Settings
We’ll be managing the add-on and configuration from the Heavy Forwarder so make sure that your HF can reach and communicate with the Tripwire Enterprise Console. Additionally, you’ll need backend access to your HF to complete the setup.
- Download the Tripwire Enterprise Add-on for Splunk, you’ll see that the zip file comes with three items: an .spl file, a PDF with install instructions, and a Readme.txt.
- To begin, login onto your machine which hosts the Heavy Forwarder, depending on your OS create the directory /opt/teexports or C:\teexports. When the Tripwire add-on queries the Tripwire Enterprise Console, this directory is where it will write the resultant Security Configuration Management(SCM) and File Integrity Monitoring(FIM) logs to.
- Next, login to the Splunk interface on your Heavy Forwarder and go to Apps>Manage Apps>Install App from File, upload the tripwire .spl file, and restart Splunk once it prompts you to.
- Navigate to the app setup page in Splunk. You’ll need to specify Tripwire Data Directory which is either /opt/teexports or C:\teexports and the parent directory where Splunk is installed (for Windows, C:\Program Files)
- Next specify which port Splunk should listen on for Tripwire Syslog messages if you wish to receive Syslog audit data from Tripwire Enterprise. The default Syslog port is 514 (make sure your Splunk instance is setup to receive on this port). You’ll also need to enter the IP address of the Tripwire Enterprise Console.
- You’ll have the option to change the frequency with which SCM and FIM data is retrieved; Setting it to one hour is a good starting point, you’ll need to determine the best frequency for your environment.
- Check off the ‘Monitor Data on Forwarders’ check box under ‘Distributed Deployment’ so that the log files on the HF are properly pulled in.
- Finally, leave the rest of the default setup as is, enter the credentials for the account you created on the Tripwire Enterprise Console and hit save.
- Once that’s complete, the Tripwire add-on will automatically generate the requisite Supporting Add-ons to deploy across the rest of your environment under /etc/apps/TA-tripwire_enterprise/appserver/addons. There you’ll find:
From /appserver/addons, copy the TA-tripwire_enterprise_FWD into the /apps directory on the HF. It’s fully self-contained and has all the necessary scripts to run queries against the TEC.
- Copy the SA-tripwire_enterprise_IDX onto the /apps directory of your indexer.
- Navigate back up to /etc/apps on your Heavy Forwarder and copy the entire TA-tripwire_enterprise directory (yes, the whole thing add-ons and all) off the HF and onto /apps on your Search Head. Below is where all your apps and add-ons should end up:
- /apps/TA-tripwire_enterprise_FWD → Heavy Forwarder
- /apps/ SA-tripwire_enterprise_IDX → Indexer
- /apps/ TA-tripwire_enterprise → Search Head
Before you complete the setup, go into the inputs.conf on each of the add-ons and make sure that the they are pointing to the correct index.
- Lastly, restart the Indexer, then the Search Head, and then the Heavy Forwarder.
If logs still aren’t flowing at that point, review these troubleshooting steps:
- Check to see that permissions on the TA-tripwire_enterprise_FWD are set correctly and disabled=0 is set for everything.
- Try hitting the tripwire IP by using https://x.x.x.x/assetview/api/assets from the Heavy Forwarder to see if it can reach it.
- Check $SPLUNK_HOME/var/log/splunk/tripwire.log for errors.
- Verify that your TEC is licensed for FIM and SCM data.
- Verify that you can log into the TEC with the splunk account username/password
- Check that Tripwire is set to send logs to UDP 514
- Verify Tripwire version. Requires 8.2.x or later
For more information on how we can assist with configuring Tripwire as well as additional Splunk apps in your environment visit our Splunk Managed Security Services page.