Corvil Connector for Splunk allows a Splunk® Enterprise administrator to real-time stream Corvil analytics data into Splunk, for the usage of Security operations, IT operations, network and application performance monitoring. Corvil Connector for Splunk provides a modular input that connects to existing Corvil Analytics Streams which run on Corvil (CNE) appliances. Corvil Analytics Streams produce summaries of key events and transform them into actionable data.
For more information on Corvil, see: www.corvil.com.
Version 1.1.0 of Corvil Connector for Splunk is compatible with:
Version 1.1.0 of Corvil Connector for Splunk includes the following new features:
Version 1.1.0 of Corvil Connector for Splunk fixes the following issue:
Issues found during initial connector configuration for Splunk v7.0 or higher are now flagged by on-screen error messages. For both Splunk v7.0 and earlier versions of Splunk, these error messages are only logged to %SPLUNK_HOME%/var/log/splunk/corvil_connector.log.
Version 1.1.0 of Corvil Connector for Splunk has the following known issues:
Splunk error messages related to Corvil Connector having “exited with code 1”
After installing the Corvil Connector and Corvil Add-on for Splunk Enterprise Security, a Splunk error may intermittently appear reporting that the Corvil Connector process has “exited with code 1". This error message is benign and does not mean the Corvil Connector is not operating normally.
To suppress this error message, follow these steps:
Editing the Corvil Connector Data Input fails when in the Splunk Enterprise Security global app context
In order to edit the Data Inputs associated with the Corvil Connector for Splunk, first set the global app context of “Search and Reporting”.
Contacting Customer Support
If you need support for Corvil products, then Corvil Support can be contacted Monday to Friday between 9:00 and 17:00 GMT. Corvil customers with a standard contract will be ensured of a response within 24 hours and have access to a portal where support tickets can be tracked.
Corvil Connector for Splunk supports the following server platforms in the versions supported by Splunk Enterprise:
To function properly, Corvil Connector for Splunk requires the following software:
Because Corvil Connector for Splunk runs on Splunk Enterprise, all of the Splunk Enterprise system requirements apply.
Corvil Connector for Splunk can be installed directly from within your Splunk Enterprise admin interface, or downloaded from https://splunkbase.splunk.com/app/2725/ and then uploaded to your Splunk Enterprise host. Both approaches are described below.
This section describes how to install Corvil Connector for Splunk in your Splunk Enterprise deployment. Details of how to configure and use it are covered in the User Guide below.
There are two ways to download and install Corvil Connector for Splunk, depending on whether your Splunk enterprise host has connectivity to splunkbase.splunk.com:
We’ll look at these in more detail in the following sections.
Follow these steps to install Corvil Connector for Splunk in a single server instance of Splunk Enterprise:
If your Splunk Enterprise host has the appropriate connectivity, you can install Corvil Connector for Splunk directly from Splunkbase:
Depending on your Splunk Enterprise version:
On that page, search for Corvil. Corvil Connector for Splunk should display.
On the Install app page:
The Corvil data source can now be used to route a Corvil Analytics Stream into Splunk.
If your Splunk Enterprise host deployment does not have direct connectivity to splunkbase.splunk.com, you can download the Corvil Connector for Splunk from the link above and then manually install the Corvil Connector for Splunk from within Splunk Enterprise.
Corvil Connector for Splunk is only installed on indexers or forwarders:
Forwarders do not provide a GUI interface that can be used for managing add-ons. Corvil Connector for Splunk can be installed on the forwarder using the $SPLUNK_HOME/bin/splunk install app command. Alternatively, it can be installed via a set of manual steps:
The Corvil Connector for Splunk is not currently supported in Splunk Cloud.
The Corvil Connector for Splunk provides a new type of Splunk modular input that feeds data from a Corvil Analytics Stream into Splunk. Multiple Corvil inputs can be configured, if required, connecting to multiple Corvil Analytics Streams.
Splunk ensures that any Corvil inputs are started once Splunk itself starts. If a Corvil input loses the network connection to the Corvil appliance or the publishing of the Corvil Analytics Stream is halted, the input will attempt to reconnect every 10 seconds.
Corvil Analytics Streams, via the Corvil Connector for Splunk, can real-time stream Corvil analytics data to Splunk. For more information on configuring Corvil Analytics Streams on Corvil appliances, please consult the Corvil User Guide.
To configure the Corvil Connector for Splunk as a modular input for Splunk Enterprise:
The form is validated and when it successfully saves, the new Corvil input will connect to the CNE and start streaming data into Splunk. Any validation error is reported on the page. Check the corvil_connector.log. Additional error information, if required, can be found in var/log/splunk/splunkd.log
Note: If addition of the Corvil input fails, check that Java (JRE 1.8 or later) is installed on your Splunk Enterprise host.
Note: If there is a change of state (from HTTPS to HTTP or from HTTP to HTTPS) in the configured CNE, communication with the Corvil connector will stop (with no error/warning message) and no new events will arrive into Splunk.
Some less frequently used options are available under More Settings:
Since the Splunk forwarder does not offer a GUI for managing add-ons, the configuration needs to be done by directly editing the inputs.conf file:
> sourcetype = corvil
> disabled = 0
> Hostname = corvil1
> Port-Number = 5101
To connect a Corvil Connector for Splunk to a CNE which is only accessible via HTTPS, you must select the option Secure CNE Connection when configuring the Connector and you must select to use either a pre-provisioned self-signed certificate or a signed certificate.
Select to use the pre-provisioned self-signed certificate if you wish to get up and running fast with an encrypted connection, since it requires a minimal number of steps.
If you wish to to use a signed certificate, please contact Corvil support for further guidance.
The Corvil Connector for Splunk can be configured on the Splunk UI, using the Splunk REST API or via manual file modification.
To configure the setup with a self-signed certificate using Splunk UI:
It is possible to create new Corvil connectors from CLI using REST API endpoint. Using this method, you can get feedback on whether the Connector was properly configured and if the connection succeeded or not.
This method is essentially the same as using the Splunk UI or manually editing inputs.conf but is, instead, feeding the configurable parameters in via the Splunk REST API request which can be useful if you don’t have Splunk UI access.
To configure the setup with self-signed certificate using Splunk CLI commands (REST API):
curl -d 'name=CorvilConnectorName' -d 'Username=monitor' -d 'Hostname=<cne_ip_or_fqdn>' -d 'Password=<password>' -d 'Port-Number=443' -d 'Only-Violations-Events=0' -d 'Include-Links=0' -d 'Analytic-Stream-Name=Notable Events' -d 'Receive-Heartbeats=0' -d 'Encrypted=1' -d 'Allow-Self-Signed=1' -k -u SplunkAdminUser:SplunkAdminPass https://localhost:8089/services/data/inputs/corvil
If the connection is successful, the REST API will return an XML output confirming the connector configuration.
If there is an issue with the connection, an error will be returned.
Once you have successfully configured the Corvil Connector for Splunk with a self-signed certificate, the encrypted connection to the CNE is established.
Verify that Splunk is receiving Corvil events from the CNE. One way to check this is to run a search in Splunk, such as: source="corvil://<corvil_connector_connection_name_in_splunk_data_inputs>"
The Corvil Connector for Splunk defines a "corvil" source type, which is JSON-formatted data with mandatory fields (for example, timestamp and eventID).
Connector log file on Splunk server
Corvil Connector for Splunk includes the following binaries:
- Encryption of the stored CNE password: It is now possible to encrypt the password stored on the Splunk Enterprise host, of the Corvil user account utilized to allow the Connector to connect to specified Corvil appliances.
- Connectivity to CNEs via HTTPS: It is now possible for the Connector to connect via HTTPS to Corvil Appliances configured to only accept encrypted connections.
- Authorization script support: Usage of specified scripts to facilitate authorization is now supported.
- Improved Connector logging: Connector will now log notable Connector activities and encountered error conditions such as creation of new modular inputs and issues with connectivity to specified Corvil Analytics Streams. See corvil_connector.log on the Splunk Enterprise host.
- Issues found during initial connector configuration for Splunk v7.0 or higher are now flagged by on-screen error messages. For earlier Splunk versions, these error messages are now logged to corvil_connector.log.
##### About this release
Version 1.0.3 of the Corvil add-on for Splunk is compatible with:
* **Splunk Enterprise versions** 6.5, 6.4, 6.3, 6.2, 6.1
* **Platforms** Platform independent
* **Vendor Products** Corvil Giga, Corvil Giga+, Corvil Tera and Corvil Tera+
* **System Requirements** Java Runtime Environment (v1.6 or later) installed on the Splunk Enterprise host
##### What’s New in This Release
Version 1.0.3 of the Corvil add-on for Splunk includes the following new features:
* **Special characters**: Special characters in Corvil Appliance’s password are now supported.
* **Timestamp changes**: The timestamp is split into 2 fields: timestamp and timestampNs. The timestamp field contains the microseconds part of the timestamp, and timestampNs contains the nanoseconds part of the timestamp.
##### Fixed issues
Version 1.0.3 of the Corvil add-on for Splunk fixes the following issues:
- Formatting bug in the JSON output from the modular input
Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 50GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.