auth. @<forwarders_ip_address>
!audit_conf
. @<forwarders_ip_address>
!audit_protocol
. @<forwarders_ip_address>
!
This app is compatible with "Authentication","Inventory" and "Performance" datamodels of Splunk CIM (Comman information model).
The main app dashboard can take some time to populate the dashboards once data collection is started. A good test to see that you are receiving all of the data we expect is to run this search after several minutes:
search `isilon_index` | stats count by sourcetype
In particular, you should see these sourcetypes:
* emc:isilon:rest
* emc:isilon:syslog
If you don't see these sourcetypes, then
• For emc:isilon:rest, have a look at the messages for "emc:isilon:rest".
For Add-on version 2.3 onwards: User can see logs at $SPLUNK_HOME/var/log/isilon/emc_isilon.log file.
For Add-on version till 2.2: Here is a sample search that will show messages:
index=_internal component="ExecProcessor" "EMC Isilon Error:" | table _time host log_level message
• For "emc:isilon:syslog", check the syslog file in /etc/mcp/override/syslog.conf - it should have @<forwarders_ip_address> in front of the required log file and !* at the end of the syslog.conf file. Also run following command to see whether the syslog forwarding in enabled or not:
For EMC Isilon cluster with oneFS version 7.x.x - isi audit settings view
For EMC Isilon cluster with oneFS version 8.x.x - isi audit settings global view
EMC Isilon forward syslog and audit logs on 514 udp port by default. Please make sure port 514 is open and reserver for Isilon syslogs only.
Follow below steps to upgrade EMC Isilon Technology addon from version 2.2 to 2.3
• Download tar of EMC Isilon Technology addon from splunk base (v2.3)
• Extract tar of EMC Isilon Technology addon under $SPLUNK_HOME/etc/apps
• Execute upgrade python script under $SPLUNK_HOME/etc/apps/TA_EMC-Isilon/bin/upgrade_from_v2.2_to_v2.3.py.
On execution, script will ask for input and user has to provide already setup nodes as comma separated value.
Command to execute script:
$SPLUNK_HOME/bin/splunk cmd python $SPLUNK_HOME/etc/apps/TA_EMC-Isilon/bin/upgrade_from_v2.2_to_v2.3.py
User can verify configured nodes from $SPLUNK_HOME/etc/apps/TA_EMC-Isilon/local/passwords.conf
This script will add stanza for each node, given as input while executing script, in file $SPLUNK_HOME/etc/apps/TA_EMC-Isilon/local/isilonappsetup.conf. Verify entry for each node in this file
• Restart Splunk
Fixed AppCert cloud issues
Added support of new security patch coming in EMC Isilon cluster with oneFS version 8.1.0.4 and above.
Added support of pagination in active directory API calls.
Fixed 503 Server Error: Service Not Available Error for API calls.
- Mandate HTTPS connection with OneFS with certificate verification.
- Removed indexes.conf from add-on - expecting user to create index manually and give same name while setup of Isilon node.
- Improved field extractions for audit logs of OneFS version(7.0.2.0, 8.0.0.1, 8.0..0.2, 8.0.0.4, 8.1.0.0)
- Changed error log locations to $SPLUNK_HOME/var/log/isilon/emc_isilon.log file
- Upgrade script needs to get executed while upgrading to version 2.3. More information in Overview section.
Removed Input stanza for Syslog ingestion([udp://514]) and added instuction in documentation on how to setup syslog data ingestion.
Version: 2.1
- Added support for Active directory user & sid mapping through new REST API.
- Made changes in Isilon log parser to make it robust & generic for both Isilon version-7 and version-8 Security logs.
- Replaced Node_IP filter with Cluster_Name filter in existing Security logs dashboards.
- Security logs have been segregated in two categories - FileSystem Audit Logs and Authentication & Privilege activities.
- Added new dashboard to provide the user search facility for FS Audit logs across the Clusters.
- Added support for Active directory user & sid mapping through new REST API.
- Made changes in Isilon log parser to make it robust & generic for both Isilon version-7 and version-8 Security logs.
- Replaced Node_IP filter with Cluster_Name filter in existing Security logs dashboards.
- Security logs have been segregated in two categories - FileSystem Audit Logs and Authentication & Privilege activities.
- Added new dashboard to provide the user search facility for FS Audit logs across the Clusters.
-> Changed data collection method from Scripted Input to REST API Modular Input
-> Added support for Isilon Version 8.0
-> Added new data source(udp 514) and field extractions to integrate Isilion Syslogs & Audit logs
-> Added new API calls and extractions to comply with CIM models - Authentication, Inventory and Performance
How to upgrade the app
======================
Since the data collection method has been changed in release 2.0, user must need to remove the previous version of app ($SPLUNK_HOME/etc/apps/TA_EMC-Isilon) and perform the fresh installation of new bundle and set up the app again.Please note that removing old installation is not going to remove previously indexed data.
Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 50GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.