Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading Corvil Connector for Splunk
SHA256 checksum (corvil-connector-for-splunk_110.tgz) 060cb6a9b1d9ea54fa5a5a63799b9f29160a749743d5b7cc064266b81bbad29d SHA256 checksum (corvil-connector-for-splunk_103.tgz) 7336548f3912d9494b178024d9df17818b8b535dd34b42db09c3f0ac62b88853
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

Corvil Connector for Splunk

Overview
Details
Corvil transforms network data into streaming machine-time intelligence to run business with full transparency, assured performance, and continuous cyber surveillance of users, infrastructure, applications, and services.

Corvil Connector for Splunk allows a Splunk® Enterprise administrator to real-time stream Corvil analytics data into Splunk, for the usage of Security operations, IT operations, network and application performance monitoring. Corvil Connector for Splunk provides a modular input that connects to existing Corvil Analytics Streams which can run on Corvil (CNE) appliances. Corvil Analytics Streams produce summaries of key events and transform them into actionable data.

Note: Corvil Connector for Splunk can be installed and utilized as the sole mechanism via which to integrate with Corvil but is also a mandatory prerequisite that must be installed and operational, before other Corvil apps and add-ons for Splunk can be utilized.

For more information on Corvil, visit www.corvil.com.

Table of Contents

OVERVIEW

  • About Corvil Connector for Splunk
  • Release notes
  • Support and resources

DEPLOYMENT

  • Hardware and software requirements
  • Installation

USER GUIDE

  • Preparing Corvil for streaming to Splunk
  • Configuring the Corvil Connector for Splunk
  • Configuring the Corvil Connector for Splunk to use an encrypted connection
  • Data types
  • Paths

OVERVIEW

About Corvil Connector for Splunk

  • Author: Corvil Connectors
  • App Version: 1.1.0
  • Vendor Products: Corvil Tera 9.0 or higher, Corvil Giga+, Corvil Giga.
  • System Requirements: JRE (v1.8 or later) installed on the Splunk Enterprise host

Corvil Connector for Splunk allows a Splunk® Enterprise administrator to real-time stream Corvil analytics data into Splunk, for the usage of Security operations, IT operations, network and application performance monitoring. Corvil Connector for Splunk provides a modular input that connects to existing Corvil Analytics Streams which run on Corvil (CNE) appliances. Corvil Analytics Streams produce summaries of key events and transform them into actionable data.

For more information on Corvil, see: www.corvil.com.

Release notes

About this release

Version 1.1.0 of Corvil Connector for Splunk is compatible with:

  • Splunk Enterprise versions: 7.0, 6.6
  • Platforms: Platform independent
  • Vendor Products: Corvil Tera 9.0 or higher, Corvil Giga+, Corvil Giga.
  • System Requirements: JRE (v1.8 or later) installed on the Splunk Enterprise host
What’s New in This Release

Version 1.1.0 of Corvil Connector for Splunk includes the following new features:

  • Encryption of the stored CNE password
  • Connectivity to CNEs via HTTPS
  • Authorization script support
  • Improved Connector logging
Resolved Issues

Version 1.1.0 of Corvil Connector for Splunk fixes the following issue:

Issues found during initial connector configuration for Splunk v7.0 or higher are now flagged by on-screen error messages. For both Splunk v7.0 and earlier versions of Splunk, these error messages are only logged to %SPLUNK_HOME%/var/log/splunk/corvil_connector.log.

Known Issues

Version 1.1.0 of Corvil Connector for Splunk has the following known issues:

Splunk error messages related to Corvil Connector having “exited with code 1”
After installing the Corvil Connector and Corvil Add-on for Splunk Enterprise Security, a Splunk error may intermittently appear reporting that the Corvil Connector process has “exited with code 1". This error message is benign and does not mean the Corvil Connector is not operating normally.
To suppress this error message, follow these steps:

  1. Go to Settings > Data Inputs > Configuration Checker.
  2. Edit confcheck_script_errors.
  3. Add corvil to the “supporess” regex. Save the updated configuration.

Editing the Corvil Connector Data Input fails when in the Splunk Enterprise Security global app context
In order to edit the Data Inputs associated with the Corvil Connector for Splunk, first set the global app context of “Search and Reporting”.

Third-party Software Attributions

Version 1.1.0 of Corvil Connector for Splunk incorporates the following third-party software or libraries: Google Protobuf, Apache commons codec, and Apache Sling commons JSON

Support and Resources

Contacting Customer Support

If you need support for Corvil products, then Corvil Support can be contacted Monday to Friday between 9:00 and 17:00 GMT. Corvil customers with a standard contract will be ensured of a response within 24 hours and have access to a portal where support tickets can be tracked.

  • e-mail: support@corvil.com
  • USA/Canada Toll Free: 1800 673 3185
  • UK Freephone: 0800 066 4799
  • International: +353 1 859 1010

DEPLOYMENT

Hardware and software requirements

Hardware requirements

Corvil Connector for Splunk supports the following server platforms in the versions supported by Splunk Enterprise:

  • Linux
  • Microsoft Windows

Software requirements

To function properly, Corvil Connector for Splunk requires the following software:

  • Corvil Tera 9.0 or higher installed on a Corvil CNE appliance
  • Java runtime Environment (version 1.8 or later) installed on the Splunk Enterprise host

Splunk Enterprise system requirements

Because Corvil Connector for Splunk runs on Splunk Enterprise, all of the Splunk Enterprise system requirements apply.

Download

Corvil Connector for Splunk can be installed directly from within your Splunk Enterprise admin interface, or downloaded from https://splunkbase.splunk.com/app/2725/ and then uploaded to your Splunk Enterprise host. Both approaches are described below.

Installation

This section describes how to install Corvil Connector for Splunk in your Splunk Enterprise deployment. Details of how to configure and use it are covered in the User Guide below.

There are two ways to download and install Corvil Connector for Splunk, depending on whether your Splunk enterprise host has connectivity to splunkbase.splunk.com:

  • Direct installation from Splunkbase
  • Download and manual installation

We’ll look at these in more detail in the following sections.

Deploy to single server instance

Follow these steps to install Corvil Connector for Splunk in a single server instance of Splunk Enterprise:

Direct installation from Splunkbase

If your Splunk Enterprise host has the appropriate connectivity, you can install Corvil Connector for Splunk directly from Splunkbase:

  1. Log in to Splunk Enterprise.
  2. Depending on your Splunk Enterprise version:

    • If you are using Splunk Enterprise 7.0, 6.6 or 6.3, open the Apps menu and select Browse more Apps
    • If you are using Splunk Enterprise 6.2, open the Explore Splunk Enterprise panel and click Splunk Apps
    • If you are using Splunk Enterprise 6.1, from the Apps menu select Find more apps.
  3. On that page, search for Corvil. Corvil Connector for Splunk should display.

  4. Click Install free.
  5. On the Install app page:

    • Review the license terms and conditions and check the check box
    • Enter your splunk.com username and password (not your Splunk Enterprise username and password)
    • Click Login.

The Corvil data source can now be used to route a Corvil Analytics Stream into Splunk.

Download and manual installation

If your Splunk Enterprise host deployment does not have direct connectivity to splunkbase.splunk.com, you can download the Corvil Connector for Splunk from the link above and then manually install the Corvil Connector for Splunk from within Splunk Enterprise.

  1. Log in to Splunk Enterprise.
  2. Depending on your Splunk Enterprise version:
    • Using Splunk Enterprise 7.0, 6.6 or 6.3, click the Apps gear icon
    • Using Splunk Enterprise 6.2, click the Manage Apps link
    • Using Splunk Enterprise 6.1, select Manage Apps from the Apps menu.
  3. Select Install app from file, navigate to the downloaded Corvil Connector for Splunk file, select it and click Open.
  4. With the Corvil Connector for Splunk file selected, click Upload.

Deploy to distributed deployment

Corvil Connector for Splunk is only installed on indexers or forwarders:

  • The installation process for an indexer is the same as for the single server case.
  • Forwarders do not provide a GUI interface that can be used for managing add-ons. Corvil Connector for Splunk can be installed on the forwarder using the $SPLUNK_HOME/bin/splunk install app command. Alternatively, it can be installed via a set of manual steps:

    1. Download and unpack the .tgz package from Splunkbase
    2. Move the resulting Corvil directory into the $SPLUNK_HOME/etc/apps directory on your forwarder
    3. Restart the forwarder

Deploy to Splunk Cloud

The Corvil Connector for Splunk is not currently supported in Splunk Cloud.


USER GUIDE

The Corvil Connector for Splunk provides a new type of Splunk modular input that feeds data from a Corvil Analytics Stream into Splunk. Multiple Corvil inputs can be configured, if required, connecting to multiple Corvil Analytics Streams.

Splunk ensures that any Corvil inputs are started once Splunk itself starts. If a Corvil input loses the network connection to the Corvil appliance or the publishing of the Corvil Analytics Stream is halted, the input will attempt to reconnect every 10 seconds.

Preparing Corvil for Streaming to Splunk

Corvil Analytics Streams, via the Corvil Connector for Splunk, can real-time stream Corvil analytics data to Splunk. For more information on configuring Corvil Analytics Streams on Corvil appliances, please consult the Corvil User Guide.

Configuring the Corvil Connector for Splunk

To configure the Corvil Connector for Splunk as a modular input for Splunk Enterprise:

  1. Log in to Splunk Enterprise.
  2. From the Settings menu select Data Inputs. On the Data Inputs page, Corvil Connector for Splunk is listed as Corvil Connector.
  3. Click Add new.
  4. Complete the Add Data form (Splunk Enterprise 7.0, 6.6, 6.3 and 6.2) or the Add new form (Splunk Enterprise 6.1). The optional configuration settings are documented below and the mandatory settings are:
    • Input Name Specify the name for the Splunk data input
    • CNE address Specify the hostname or IP address of the CNE publishing the Corvil Analytics Stream
    • CNE Port Specify the port number of the Web Services API on the CNE publishing the Corvil Analytics Stream (Default: 5101),or click the 'Secure CNE Connection' which removes the port option (HTTPS traffic to the CNE is always over 443)
    • Username/Password Specify the Web Services API login credentials on the CNE publishing the Corvil Stream (The default username is monitor), or click the 'Retrieve authorization details from script' which hides the username and password section entirely, replacing it with an option to specify the script. See More Settings section below.
    • Analytics Stream Name Specify the name of the Corvil Analytics Stream of interest
  5. When using Splunk Enterprise 7.0, 6.6, 6.3 or 6.2, click Next. When using Splunk Enterprise 6.1, click Save.

The form is validated and when it successfully saves, the new Corvil input will connect to the CNE and start streaming data into Splunk. Any validation error is reported on the page. Check the corvil_connector.log. Additional error information, if required, can be found in var/log/splunk/splunkd.log

Note: If addition of the Corvil input fails, check that Java (JRE 1.8 or later) is installed on your Splunk Enterprise host.

Optional configuration settings

  • Event Types Specify the names of the event types of interest as defined in the Corvil Analytics Stream. Multiple event types can be specified as a comma-separated list without whitespace (Default: the field is blank, which publishes all events)
  • Include Heartbeats Check the box to include Heartbeat messages with Corvil Analytics Stream events (Default: unchecked)
  • Only Include Events in Violation Check the box to specify that only events that violate the thresholds defined in network service objectives on the CNE should be retrieved (Default: unchecked)
  • Include links to the Corvil appliance Check the box to include links to the Corvil Appliance in each event (message-url must be enabled on the appliance)
  • Suppressed Fields Multiple field names to be suppressed can be specified as a comma-separated list without whitespace (Default: the field is blank, which publishes all the fields)
  • Secure CNE Connection Set this to allow the Corvil Connector to connect to an encrypted CNE (See note below. Also see the section on Configuring the Corvil Connector for Splunk to work with signed certificates)

Note: If there is a change of state (from HTTPS to HTTP or from HTTP to HTTPS) in the configured CNE, communication with the Corvil connector will stop (with no error/warning message) and no new events will arrive into Splunk.

Some less frequently used options are available under More Settings:

  • Set the source type Tell Splunk what kind of data this is so you can group it with other data of the same type when you search. When this is set to automatic, Splunk classifies and assigns the sourcetype automatically, and gives unknown sourcetypes placeholder names. You can manually force the source type to 'corvil' rather than rely on auto-detection.
  • Index Set the destination index for streamed events for this source
  • Rate-Limit Set a rate-limiter preventing the Corvil Connector for Splunk from sending more than Rate-Limit-Count messages over a period of Rate-Limit-Period seconds, (events violating the limiter are ignored). Zero (0) in either of the fields disables the limiter.
  • Encrypt Password Select this to hide the password for the CNE login (Default: password encryption is off)

Configuring the Input on a Splunk forwarder

Since the Splunk forwarder does not offer a GUI for managing add-ons, the configuration needs to be done by directly editing the inputs.conf file:

  • Copy $SPLUNK_HOME/etc/apps/Corvil/default/inputs.conf to $SPLUNK_HOME/etc/apps/Corvil/local/inputs.conf
  • Edit $SPLUNK_HOME/etc/apps/Corvil/local/inputs.conf to configure one or more inputs. The copy of inputs.conf in default shows the possible options.
  • Each configured input has its own stanza starting with a line that names a new input [corvil://db-stream] followed by disabled = 0 and the input’s parameters - identical to the list above. For example

> [corvil://test]

> sourcetype = corvil

> disabled = 0

> Hostname = corvil1

> Port-Number = 5101

> ...

  • Restart: $SPLUNK_HOME/bin/splunk restart

Configuring the Corvil Connector for Splunk to use an encrypted connection

To connect a Corvil Connector for Splunk to a CNE which is only accessible via HTTPS, you must select the option Secure CNE Connection when configuring the Connector and you must select to use either a pre-provisioned self-signed certificate or a signed certificate.

Select to use the pre-provisioned self-signed certificate if you wish to get up and running fast with an encrypted connection, since it requires a minimal number of steps.

If you wish to to use a signed certificate, please contact Corvil support for further guidance.

CNE Prerequisites

  • The CNE must be in HTTPS mode (ssh as admin to the CNE CLI, then enter the command force-https).
  • CNE version 9.3.1 is recommended.

Important Notes

  • Splunk 7.0 or later is recommended to give optimal insight into Splunk add-on setup and connectivity error conditions.
  • The corvil_connector.log currently will only contain log entries related to new connector config that is added via the Splunk UI or REST API request. If the connector config is added via shell modifying inputs.conf file, the corvil_connector.log will not contain related log entries.
  • If both “encrypted” and “allow-self-signed” are enabled and the connector fails to establish a connection with the signed certificate, it will fallback to using the CNE’s default self-signed certificate.
  • The splunkd.log will contain an error message related to log4j connector configuration. This is a known issue and does not impact connector core functionality or connector logging. The connector uses an embedded log4 configuration rather than an external one.
  • Installation of the Corvil Connector for Splunk via UI is recommended, however if the Corvil Connector is installed via unpacking the tar.gz / spl file and copying the directory content into the Splunk server, ensure that:
    • Permissions are set correctly on the Corvil Connector files
    • If default.conf was copied by hand to create an inputs.conf, be sure that all entries, that have values of true or false, are replaced with 1 or 0.

Corvil Connector for Splunk Configuration

The Corvil Connector for Splunk can be configured on the Splunk UI, using the Splunk REST API or via manual file modification.

Configuring the Corvil Connector for Splunk using the Splunk UI

To configure the setup with a self-signed certificate using Splunk UI:

  1. Log in to Splunk Enterprise.
  2. From the Settings menu select Data Inputs. On the Data Inputs page, select Corvil Connector.
  3. Click Add new.
  4. Select Secure CNE Connection. Ensure Allow Self-Signed Certificates is selected.
  5. Complete all other Connector configuration details in the Add Data form and then click Next. If the configuration saves successfully, then the connection was successful.

Configuring the Corvil Connector for Splunk using the Splunk REST API

It is possible to create new Corvil connectors from CLI using REST API endpoint. Using this method, you can get feedback on whether the Connector was properly configured and if the connection succeeded or not.

This method is essentially the same as using the Splunk UI or manually editing inputs.conf but is, instead, feeding the configurable parameters in via the Splunk REST API request which can be useful if you don’t have Splunk UI access.

To configure the setup with self-signed certificate using Splunk CLI commands (REST API):

  1. Enter the API request containing your required configuration parameters from a Linux command line. To enable signed certificates, the API request must contain the parameter setting Encrypted=1. For example:

curl -d 'name=CorvilConnectorName' -d 'Username=monitor' -d 'Hostname=<cne_ip_or_fqdn>' -d 'Password=<password>' -d 'Port-Number=443' -d 'Only-Violations-Events=0' -d 'Include-Links=0' -d 'Analytic-Stream-Name=Notable Events' -d 'Receive-Heartbeats=0' -d 'Encrypted=1' -d 'Allow-Self-Signed=1' -k -u SplunkAdminUser:SplunkAdminPass https://localhost:8089/services/data/inputs/corvil

If the connection is successful, the REST API will return an XML output confirming the connector configuration.

If there is an issue with the connection, an error will be returned.

Verifying Corvil events are received

Once you have successfully configured the Corvil Connector for Splunk with a self-signed certificate, the encrypted connection to the CNE is established.
Verify that Splunk is receiving Corvil events from the CNE. One way to check this is to run a search in Splunk, such as: source="corvil://<corvil_connector_connection_name_in_splunk_data_inputs>"

Data types

The Corvil Connector for Splunk defines a "corvil" source type, which is JSON-formatted data with mandatory fields (for example, timestamp and eventID).

Paths

Connector log file on Splunk server
<splunk_path>/var/log/splunk/corvil_connector.log

Scripts and binaries

Corvil Connector for Splunk includes the following binaries:

  • Corvil/lib/splunk-1.6.2.jar: Splunk-related binaries for the Corvil Connector
  • Corvil/lib/org.apache.sling.commons.json-2.0.10.jar: dependency for JSON formatting
  • Corvil/lib/commons-codec-1.10.jar: dependency for binary fields support
  • Corvil/lib/connector.jar: common binaries for the Corvil Connector
  • Corvil/lib/protobuf-java-2.6.1.jar: dependency for analytic stream decoding
  • Corvil/bin/corvil: init script for Linux
  • Corvil/bin/corvil.bat: init script for Windows
  • Corvil/bin/CorvilConnectors-1608.0.1-JRE-1.*-splunk.spl

Release Notes

Version 1.1.0
March 2, 2018

New features

- Encryption of the stored CNE password: It is now possible to encrypt the password stored on the Splunk Enterprise host, of the Corvil user account utilized to allow the Connector to connect to specified Corvil appliances.
- Connectivity to CNEs via HTTPS: It is now possible for the Connector to connect via HTTPS to Corvil Appliances configured to only accept encrypted connections.
- Authorization script support: Usage of specified scripts to facilitate authorization is now supported.
- Improved Connector logging: Connector will now log notable Connector activities and encountered error conditions such as creation of new modular inputs and issues with connectivity to specified Corvil Analytics Streams. See corvil_connector.log on the Splunk Enterprise host.

Resolved Issues

- Issues found during initial connector configuration for Splunk v7.0 or higher are now flagged by on-screen error messages. For earlier Splunk versions, these error messages are now logged to corvil_connector.log.

Version 1.0.3
Sept. 27, 2016

##### About this release

Version 1.0.3 of the Corvil add-on for Splunk is compatible with:

* **Splunk Enterprise versions** 6.5, 6.4, 6.3, 6.2, 6.1
* **Platforms** Platform independent
* **Vendor Products** Corvil Giga, Corvil Giga+, Corvil Tera and Corvil Tera+
* **System Requirements** Java Runtime Environment (v1.6 or later) installed on the Splunk Enterprise host

##### What’s New in This Release
Version 1.0.3 of the Corvil add-on for Splunk includes the following new features:
* **Special characters**: Special characters in Corvil Appliance’s password are now supported.
* **Timestamp changes**: The timestamp is split into 2 fields: timestamp and timestampNs. The timestamp field contains the microseconds part of the timestamp, and timestampNs contains the nanoseconds part of the timestamp.

##### Fixed issues
Version 1.0.3 of the Corvil add-on for Splunk fixes the following issues:

- Formatting bug in the JSON output from the modular input

17
Installs
491
Downloads
Share Subscribe LOGIN TO DOWNLOAD

Subscribe Share

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 50GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
© 2005-2018 Splunk Inc. All rights reserved.
Splunk®, Splunk>®, Listen to Your Data®, The Engine for Machine Data®, Hunk®, Splunk Cloud™, Splunk Light™, SPL™ and Splunk MINT™ are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.