icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading Dell EMC Isilon Add-on for Splunk Enterprise
SHA256 checksum (dell-emc-isilon-add-on-for-splunk-enterprise_270.tgz) 3348ceea8b0dda9e2009d0c6927c27571f61d16cd87b9708e42a4261b13c30f6 SHA256 checksum (dell-emc-isilon-add-on-for-splunk-enterprise_260.tgz) 82e11de5c20d9adc671b2c92c8a285d5197d74814f37af180e346f7261576825 SHA256 checksum (dell-emc-isilon-add-on-for-splunk-enterprise_250.tgz) e9ee448d7c83353dfce3fd66054902e5f96fe6501457774ca7fac83134723d3d SHA256 checksum (dell-emc-isilon-add-on-for-splunk-enterprise_240.tgz) 43a4d3864b852fec8213d68dcbc21b3e95de3251265da86a11800f3e459475b5 SHA256 checksum (dell-emc-isilon-add-on-for-splunk-enterprise_23.tgz) 67f07a0cd9d61be6d66751b061008bbc6ad6ac38e862e399a55c8bc649b8b0d2 SHA256 checksum (dell-emc-isilon-add-on-for-splunk-enterprise_22.tgz) d9d56e103d8b4959d2b4ebbccd755004898d93ff5e6ccfc7ed6ca3c32026f23c SHA256 checksum (dell-emc-isilon-add-on-for-splunk-enterprise_21.tgz) c6f3f71bf936090d1b968eb333c0518a307693e019d5c05e699d8ba31ce1e8c1 SHA256 checksum (dell-emc-isilon-add-on-for-splunk-enterprise_20.tgz) acf7a9dfc5072e02db869c7560cb970abc5ae5b2052af3a99c6056461f186098 SHA256 checksum (dell-emc-isilon-add-on-for-splunk-enterprise_10.tgz) f1bea35eaeccf297e5d9bf06a9e058cee73dd3379d1489bb7aa843f16eab543f
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

Dell EMC Isilon Add-on for Splunk Enterprise

Splunk AppInspect Passed
Admins: Please read about Splunk Enterprise 8.0 and the Python 2.7 end-of-life changes and impact on apps and upgradeshere.
Overview
Details
This technology add-on collects data from Isilon to be used by the Dell Isilon App for Splunk Enterprise.

UPGRADE TA (v2.3 to v2.4.0)
Follow below steps to upgrade Dell Isilon Technology addon from version 2.3 to 2.4.0 (It is applicable only if you have configured Isilon oneFS server version 8.x or above)
1. Download tar of Dell Isilon Technology addon from splunk base (v2.4.0)
2. Take the backup of local directory residing in $SPLUNK_HOME/etc/apps/TA_EMC-Isilon
3. Delete the inputs.conf, isilonappsetup.conf, last_session_call_info.pos, passwords.conf files from the $SPLUNK_HOME/etc/apps/TA_EMC-Isilon/local directory
4. Extract tar of Dell Isilon Technology addon under $SPLUNK_HOME/etc/apps
5. Restart Splunk
6. Configure Add-on again from Manage-Apps > Dell Isilon Add-on for Splunk Enterprise > Set up

ABOUT THIS APP

The Dell Isilon Add-on for Splunk Enterprise is used to gather data from Isilon Cluster, do indexing on it and provide the indexed data to the "Dell Isilon App for Splunk Enterprise" app which runs searches on indexed data and build dashboards using it.

REQUIREMENTS

  • Splunk version 7.2.x, 7.3.x and 8.0.0
  • Dell Isilon cluster with oneFS version 7.1.x, 8.0.x and 8.1.x
  • If using a forwarder, it must be a HEAVY forwarder(we use the HF because the universal forwarder does not include python)
  • The forwarder system must have network access (HTTPS) to one or more Isilon nodes which are to be Splunked.
  • Admin user ID and password for collecting data from the Isilon node.

RECOMMENDED SYSTEM CONFIGURATION

  • Splunk forwarder system should have 4 GB of RAM and a quad-core CPU to run this app smoothly.

TOPOLOGY AND SETTING UP SPLUNK ENVIRONMENT

  • This app has been distributed in two parts.

1) Add-on app, which runs collector scripts and gathers data from Dell Isilon node, does indexing on it and provides indexed data to the Main app.
2) The main app, which receives indexed data from the Add-on app, runs searches on it and builds dashboard using indexed data.

  • This App can be set up in two ways:
    1) Standalone Mode: Install the main app and Add-on app on a single machine.

    • Here both the app resides on a single machine.
    • The main app uses the data collected by Add-on app and builds dashboard on it

2) Distributed Environment: Install main app and Add-on app on search head, Only Add-on on the forwarder system and need to create index manually on Indexer.

 * Here also both the apps reside on search head machine, but no need to configure Add-on on the search head.
 * Only Add-on needs to be installed and configured on the forwarder system.
 * On Indexer, Create index from menu Settings-> Indexes-> New, Give the name of an index (for eg. isilon), which has been used in TA setup form on the forwarder system.
 * Execute the following command on the forwarder to forward the collected data to the indexer.
   $SPLUNK_HOME/bin/splunk add forward-server <indexer_ip_address>:9997
 * On Indexer machine, enable event listening on port 9997 (recommended by Splunk).
 * The main app on the search head uses the received data and builds dashboards on it.

INSTALLATION OF APP

  • This app can be installed through UI using "Manage Apps" or extract zip file directly into $SPLUNK_HOME/etc/apps/ folder.

CONFIGURATION OF APP

  • After installation, go to the Apps->Manage Apps->Set up TA_EMC-Isilon. A new set up screen will open, which will ask for Isilon node credentials. Provide ip address, username, password for any one Isilon node of your cluster. There is an option to provide an index. The default value of the index is isilon. A user has to make sure, the provided index has already been created from the menu Settings->Indexes. After providing these details, click save on Setup form. Once the setup has completed successfully, go to Settings->Advanced search->Search macros. Open entry 'isilon_index' from the list and modify the definition of macro according to index provided in setup form. The default definition is index=isilon.

  • If you want to collect data over encrypted network then please follow below steps:

    • Copy isilonappsetup.conf to the local folder within an app
    • Keep verify=True as is
    • Add certificate path where you have stored the certificate pem file.
    • Restart Splunk
  • If you want to collect data over unencrypted network then please follow below steps:
    • Copy isilonappsetup.conf to local folder within an app
    • Change verify=False on the [setupentity] stanza in the local/isilonappsetup.conf file
    • Restart Splunk
    • After restart configure the Isilon host through the gui.
  • Splunk REST API will encrypt the password and store it in Add-on folder in encrypted form, REST modular script will fetch these credentials through REST API to connect to the Isilon node.
  • Restart the Splunk
  • To enable forwarding syslog data in any Isilon Cluster version, perform the following step:
    1) Make following changes in file /etc/mcp/override/syslog.conf (copy from /etc/mcp/default/syslog.conf if not present) :
    * Put @<forwarders_ip_address> in front of the required log file and !* at the end of the syslog.conf file.
    * Restart syslogd using this command - /etc/rc.d/syslogd restart.

    • In some cases, syslog.conf file is already placed at /etc/mcp/override directory location but it is empty. In that case, just put the log file name and the forwarder ip in that file.
      Below is the cotent of sample syslog.conf:
      auth. @<forwarders_ip_address>
      !audit_config
      . @<forwarders_ip_address>
      !audit_protocol
      .* @<forwarders_ip_address>
            !*
      

    2) Run the following commands to enable protocol, config and syslog auditing according to Isilon OneFS version:
    * For Dell Isilon cluster with oneFS version 7.x.x -
    isi audit settings modify --protocol-auditing-enabled Yes
    isi audit settings modify --config-auditing-enabled Yes
    isi audit settings modify --config-syslog-enabled Yes

    * For Dell Isilon cluster with oneFS version 8.x.x -
        isi audit settings global modify --protocol-auditing-enabled Yes
        isi audit settings global modify --config-auditing-enabled Yes 
        isi audit settings global modify --config-syslog-enabled Yes
        isi audit settings modify --syslog-forwarding-enabled Yes
    
  • Enable receiving the syslog data at forwarder. To do that, go to Settings -> Data Inputs -> UDP -> New. Provide the port number(514 is recommended by Splunk), sourcetype as emc:isilon:syslog and index same as provided in setup form of TA for same isilon cluster to this data input entry.

  • Make sure while receiving syslogs on you have set following metadata - index=Name of index, same as defined in above UDP data input, sourcetype=emc:isilon:syslog.

External Data Sources

We are using Dell Dell Isilon API for data collection purpose.

CIM COMPATIBILITY

This app is compatible with "Authentication","Inventory" and "Performance" datamodels of Splunk CIM (Common information model).

TEST YOUR INSTALL

The main app dashboard can take some time to populate the dashboards Once data collection is started. A good test to see that you are receiving all of the data we expect is to run this search after several minutes:

search `isilon_index` | stats count by sourcetype

In particular, you should see these sourcetypes:
emc:isilon:rest
emc:isilon:syslog

If you don't see these sourcetypes, have a look at the messages for "emc:isilon:rest". User can see logs at $SPLUNK_HOME/var/log/isilon/emc_isilon.log file.

For "emc:isilon:syslog", check the syslog file in /etc/mcp/override/syslog.conf - it should have @<forwarders_ip_address> in front of the required log file and !* at the end of the syslog.conf file. Also, run following command to see whether the syslog forwarding is enabled or not:

For Dell Isilon cluster with oneFS version 7.x.x - isi audit settings view
For Dell Isilon cluster with oneFS version 8.x.x - isi audit settings view, isi audit settings global view

Dell Isilon forward syslog and audit logs on 514 UDP port by default. Please make sure port 514 is open and reserved for Isilon syslogs only.

SAMPLE EVENT GENERATOR

The TA_EMC-Isilon, comes with sample data files, which can be used to generate sample data for testing. In order to generate sample data, it requires SA-Eventgen application.
The TA will generate sample data of rest api calls and sys logs at an interval of 10 minutes. You can update this configuration from eventgen.conf file available under $SPLUNK_HOME/etc/apps/TA_EMC-Isilon/default/.

UPGRADE TA (v2.2 to v2.3)

Follow below steps to upgrade Dell Isilon Technology addon from version 2.2 to 2.3
Download tar of Dell Isilon Technology addon from splunk base (v2.3)
Extract tar of Dell Isilon Technology addon under $SPLUNK_HOME/etc/apps
Execute upgrade python script under $SPLUNK_HOME/etc/apps/TA_EMC-Isilon/bin/upgrade_from_v2.2_to_v2.3.py. On execution, the script will ask for input and the user has to provide already setup nodes as comma-separated value.
for eg. $SPLUNK_HOME/bin/splunk cmd python $SPLUNK_HOME/etc/apps/TA_EMC-Isilon/bin/upgrade_from_v2.2_to_v2.3.py
User can verify configured nodes from $SPLUNK_HOME/etc/apps/TA_EMC-Isilon/local/passwords.conf
This script will add stanza for each node in given list in file $SPLUNK_HOME/etc/apps/TA_EMC-Isilon/local/isilonappsetup.conf. Verify entry for each node in this file
Restart Splunk

Release Notes

  • Version 2.4.0
    • Added support of new security patch coming in Dell Isilon cluster with oneFS version 8.1.0.4 and above.
    • Added support of pagination in active directory API calls.
    • Fixed 503 Server Error: Service Not Available Error for API calls.
  • Version 2.5.0
    • Fixed Appcert cloud issues
  • Version 2.6.0
    • Added support of Splunk-8.0.0.
    • Removed ssl check flag and certificate path textbox from UI to suffice Splunk Cloud checks.

OPEN SOURCE COMPONENTS AND LICENSES

REFERENCES

SUPPORT

  • Access questions and answers specific to Dell Isilon Add-on For Splunk at https://answers.splunk.com.
  • Support Offered: Yes
  • Support Email: support@crestdatasys.com
  • Please visit https://answers.splunk.com, and ask your question regarding Dell Isilon Add-on For Splunk. Please tag your question with the correct App Tag, and your question will be attended to.

  • Copyright (C) 2020 Dell Technologies Inc. All Rights Reserved.

Release Notes

Version 2.7.0
May 15, 2020

* Fixed AppInspect failures.
* Changed branding of the add-on.

Version 2.6.0
Jan. 13, 2020

* Added support of Splunk 8.x
* Made Add-on Python2 and Python3 compatible

Version 2.5.0
Dec. 14, 2018

Fixed AppCert cloud issues

Version 2.4.0
Oct. 1, 2018

Added support of new security patch coming in EMC Isilon cluster with oneFS version 8.1.0.4 and above.
Added support of pagination in active directory API calls.
Fixed 503 Server Error: Service Not Available Error for API calls.

Version 2.3
July 18, 2017

- Mandate HTTPS connection with OneFS with certificate verification.
- Removed indexes.conf from add-on - expecting user to create index manually and give same name while setup of Isilon node.
- Improved field extractions for audit logs of OneFS version(7.0.2.0, 8.0.0.1, 8.0..0.2, 8.0.0.4, 8.1.0.0)
- Changed error log locations to $SPLUNK_HOME/var/log/isilon/emc_isilon.log file
- Upgrade script needs to get executed while upgrading to version 2.3. More information in Overview section.

Version 2.2
Feb. 8, 2017

Removed Input stanza for Syslog ingestion([udp://514]) and added instuction in documentation on how to setup syslog data ingestion.

Version: 2.1

- Added support for Active directory user & sid mapping through new REST API.
- Made changes in Isilon log parser to make it robust & generic for both Isilon version-7 and version-8 Security logs.
- Replaced Node_IP filter with Cluster_Name filter in existing Security logs dashboards.
- Security logs have been segregated in two categories - FileSystem Audit Logs and Authentication & Privilege activities.
- Added new dashboard to provide the user search facility for FS Audit logs across the Clusters.

Version 2.1
Sept. 21, 2016

- Added support for Active directory user & sid mapping through new REST API.
- Made changes in Isilon log parser to make it robust & generic for both Isilon version-7 and version-8 Security logs.
- Replaced Node_IP filter with Cluster_Name filter in existing Security logs dashboards.
- Security logs have been segregated in two categories - FileSystem Audit Logs and Authentication & Privilege activities.
- Added new dashboard to provide the user search facility for FS Audit logs across the Clusters.

Version 2.0
Aug. 11, 2016

-> Changed data collection method from Scripted Input to REST API Modular Input
-> Added support for Isilon Version 8.0
-> Added new data source(udp 514) and field extractions to integrate Isilion Syslogs & Audit logs
-> Added new API calls and extractions to comply with CIM models - Authentication, Inventory and Performance

How to upgrade the app
======================
Since the data collection method has been changed in release 2.0, user must need to remove the previous version of app ($SPLUNK_HOME/etc/apps/TA_EMC-Isilon) and perform the fresh installation of new bundle and set up the app again.Please note that removing old installation is not going to remove previously indexed data.

Version 1.0
March 28, 2015

842
Installs
3,064
Downloads
Share Subscribe LOGIN TO DOWNLOAD

Subscribe Share

AppInspect Tooling

Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
© 2005-2020 Splunk Inc. All rights reserved.
Splunk®, Splunk>®, Listen to Your Data®, The Engine for Machine Data®, Hunk®, Splunk Cloud™, Splunk Light™, SPL™ and Splunk MINT™ are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.