Splunk Integration

TCPWave-ServiceNow
Splunk Integration

Splunk is known as the Google of machine log analytics. It is an enormously powerful, robust, and real-time big data analytics tool. Splunk can be used as a monitoring, reporting, analyzing, security information, and event management tool among other things. It takes the valuable machine-generated data and converts it into powerful operational intelligence by delivering insights through reports, charts, and alerts. With the instant results that Splunk provides, users can perform effective root cause analysis to troubleshoot and resolve the issue of any criticality. Splunk's architecture comprises components that are responsible for data ingestion, indexing, and analytics. Integration of Splunk with the TCPWave DDI enables the Splunk agent to collect the logs from IPAM, DNS, and DHCP appliances in one place.

Getting Started
  • Using valid credentials, login to the Splunk user interface.
  • Navigate to Settings >> Data >> Forwarding and Receiving >> Configure Receiving.
  • Click New Receiving Port. Ex: In the below image added 9997 as the receiving port.
TCPWave-ServiceNow
  • Navigate to Settings >> System >> Server Controls.
  • Click Restart Splunk.
TCPWave-ServiceNow
TCPWave DDI
  • Navigate to Administration >> Configuration Management >> Central Logging.
  • Under Configuration Settings, check the Enable Centralized Logging option. The system displays the Splunk option.
  • Check the Splunk option.
  • Enter Splunk Server IP under Splunk Log Host.
  • Enter configured Receiving port number under Splunk Log Port.
TCPWave-ServiceNow
  • Select IPAM logs to send to Splunk appliance.
TCPWave-ServiceNow
  • Select DNS logs to send to Splunk appliance.
TCPWave-ServiceNow
  • Select DHCP logs to send to Splunk appliance.
TCPWave-ServiceNow
  • Click on the OK to update the configuration.
  • Once the configuration is updated, log messages from the selected IPAM logs are sent to the configured Splunk appliance.
  • Central logging needs to be enabled on a DNS and DHCP appliances to send the selected DNS and DHCP logs to the Splunk appliance.
  • Navigate to Network Management >> DNS Management >> DNS Appliances >> TCPWave DNS Appliances.
  • Right-click on the live appliance. From the context menu, Enable Central Logging option.
TCPWave-ServiceNow
  • Navigate to Network Management >> DHCP Management >> DHCP Appliances >> TCPWave DHCP IPv4 Appliances.
  • Right-click on the live appliance. From the context menu, Enable Central Logging option.
TCPWave-ServiceNow
Viewing Logs

To view the logs on the Splunk appliance:

  • On the Splunk server GUI, click the Splunk icon at the top left corner.
  • Navigate to Search & Reporting >> Data Summary.
TCPWave-ServiceNow
TCPWave-ServiceNow

Splunk can also be used to detect the following:

  • Increase in volume of requests by the client (indicating C&C or data movement).
  • Change in the type of resource records we see (e.g., TXT records from hosts that don't typically send them).
  • Variance in the length of the request (indicating DGA or encoded/obfuscated data stream).
  • Variability in the frequency of requests (Beaconing activity to C&C).
  • Randomness in domain names (DGA).
  • Substitution of domains to very slightly altered domains (typo-squatting).
TCPWave-ServiceNow