Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading Gigamon IPFIX Metadata Application For Splunk
MD5 checksum (gigamon-ipfix-metadata-application-for-splunk_110.tgz) a57e7803433050e83511bf9edb0d28c3 MD5 checksum (gigamon-ipfix-metadata-application-for-splunk_091.tgz) 03963f6a7480c7b663ef42dfe72f50a4
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

Gigamon IPFIX Metadata Application For Splunk

Overview
Details
The Gigamon IPFIX Metadata Application for Splunk allows customers to easily select, index and display network metadata generated by the GigaSECURE Security Delivery Platform.

The GigaSECURE Security Delivery Platform allows users to extract and consolidate metadata from any monitored network traffic flows, package them into NetFlow v5, v9, and IPFIX records, then send them to Splunk Enterprise for indexing. Gigamon has enriched the IPFIX records with information including URL information, HTTP/HTTPS return codes, and DNS query/response information, all of which provide the ability to rapidly diagnose security events for use cases such as, identifying rogue DNS services, spotting potential Command and Control server communications using high entropy domains and detecting use of non trusted or self-signed certificates for SSL-decrypted traffic that could indicate nefarious activity.

Table of Contents

OVERVIEW

  • About Gigamon IPFIX Metadata Application For Splunk
  • Release notes
  • Support and Resources

INSTALLATION AND CONFIGURATION

  • Hardware and Software Requirements
  • Installation steps
    • Deploy to a Single Splunk Server Instance
    • Deploy to a Distributed Splunk Environment
    • Deploy to a Distributed Splunk Environment with Search Head Clustering

USER GUIDE

  • Data types
  • Lookups
  • Configure Gigamon IPFIX Metadata Application For Splunk
  • Troubleshooting
  • Upgrade

OVERVIEW

About Gigamon IPFIX Metadata Application For Splunk

About Gigamon IPFIX Metadata Application For Splunk
App Version 1.1.0
Folder Name GigamonIPFIXForSplunk
Vendor Products GigaVUE-OS >=5.0 with GigaSMART
Splunk Requirements Splunk Stream >= 7.1.0
Has index-time operations true (SEDCMD for ASN.1 Encoded Elements)
Create an index false
Implements summarization false

Gigamon IPFIX Metadata Application For Splunk allows a Splunk Admin the ability to configure Splunk Stream for Gigamon Specific elements over IPFIX.

Release notes

These are the improvements packaged as part of version 1.1.0.
* Support for the new metadata elements (GigaVUE-OS 5.1)
* Fixed URL dashboard panel

These are the issues that were closed for version 1.0.3.
* Remove install script

These are the issues that were closed for version 1.0.2.
* Macros not loading on Health Screen

These are the issues that were closed for version 1.0.1.
* App Supportability
* Update lookup

Known issues

Version 1.1.0 of Gigamon IPFIX Metadata Application For Splunk has the following known issues:

  • When upgrading between Splunk Stream versions:

    • the splunk_app_stream vocabulary file will be deleted. This needs to be restored with the correct version of the vocab.
    • the splunk_app_stream stream file will be deleted. This needs to be restored with the correct version of the stream.
    • the change in streams (metadata vs packet) requires the deletion and re-addition of the configured netflow stream.
  • If the netflow stream file is changed, any existing streams using that stream configuration need to be deleted and re-added.

Support and resources

Refer to Splunk's Q&A for Splunk related quesions and Gigamon support(App.Splunk@gigamon.com) for app specific questions.

INSTALLATION AND CONFIGURATION

Software Requirements

Gigamon IPFIX Metadata Application For Splunk requires the following software:
- Splunk Enterprise 7.0, 6.6, 6.5
- Splunk Stream >= 7.1.0
- GigaVUE-OS >= 5.0
- CIM 4.8

Installation steps

Deploy to a Single Splunk Server Instance

Follow these steps to install the app in a single server instance of Splunk Enterprise:

  1. Download the Gigamon IPFIX Metadata Application For Splunk package from splunkbase
  2. Install the App via the recommended installation methods (CLI, Web GUI)
  3. Restart Splunk.
  4. See the Instructions for Gigamon and Stream Integration.

Deploy to a Distributed Splunk Environment

  1. Download the Gigamon IPFIX Metadata Application For Splunk package from splunkbase on Search Head, Indexers and Heavy Forwarders
  2. Install the App via the recommended installation methods (CLI, Web GUI, Deployment Server) on the Search Head.
  3. See the Instructions for Gigamon and Stream Integration.

Install on Universal Forwarders

  1. There is no installation to Universal Forwarders.

Deploy to a Distributed Splunk Environment with Search Head Clustering

  1. Place the App into the "deploy_apps" folder on the Deployer Server.
  2. Be sure to modify the base event type in default/eventtypes.conf prior to deployment!
  3. Deploy the App to the Search Head Cluster.
  4. See the Instructions for Gigamon and Stream Integration.

Gigamon and Stream Integration ::gsi::

The Gigamon and Stream integration requires precise adherence to the instructions. Failure to do so may cause Stream to not collect the Gigamon IPFIX data appropriately.

The GSI (Gigamon and Stream Integration) is an advanced configuration technique, designed to extend the protocol decoding abilities of Splunk Stream. As this feature relies on Splunk Stream, Splunk Stream is a requirement and must be installed on your Splunk server(s). Please see the instructions on how to install Splunk Stream.

Install Stream ::ss_install::

If you are installing Stream for the first time, the preferred version at this time is 7.1.1. If you have an existing stream installation, ensure the version number is 7.1.0 or 7.1.1 (other versions, if available, have not been tested).

NOTE: The NIC associated with the Netflow collection should not be in promiscuous mode. Stream is being used as a protocol decoder in this configuration only.

Extend Stream

In order to extend the base installation of Stream, there must be file-level changes made. The base location of the Gigamon-specific configuration is $SPLUNK_HOME/etc/apps/GigamonIPFIXForSplunk/appserver/static/library. $SPLUNK_HOME refers to the install location of Splunk. Start in the library folder mentioned, and then proceed to either Manual Configuration.

Manual Configuration ::install_manual::

This configuration method requires the user to edit and copy various files to locations in the splunk_app_stream and Splunk_TA_stream apps. $SPLUNK_HOME refers to the install location of Splunk.

Install into Stream ::install_stream_manual::
  1. Edit gigamon_streamfwd.conf to change the reciever IP and Port to your local settings (replace @@IP and @@PORT).
  2. Copy gigamon_streamfwd.conf to $SPLUNK_HOME/etc/apps/splunk_app_stream/local/streamfwd.conf and $SPLUNK_HOME/etc/apps/Splunk_TA_stream/local/streamfwd.conf.
  3. Copy the Splunk Stream Version-specific vocabulary file (see file names right below) to $SPLUNK_HOME/etc/apps/splunk_app_stream/default/vocabularies/gigamon.xml and $SPLUNK_HOME/etc/apps/Splunk_TA_stream/default/vocabularies/gigamon.xml.
    1. For Splunk Stream 7.1.0: gigamon_vocabulary_7.1.0.xml
    2. For Splunk Stream 7.1.1: gigamon_vocabulary_7.1.1.xml
  4. Copy the Gigamon elements (elements that have gigamon in them) from gigamon_stream.json and place them into the fields array of the $SPLUNK_HOME/etc/apps/splunk_app_stream/default/streams/netflow file.
    1. A Gigamon element looks like this: { "aggType": "value", "desc": "DNS: Bits - GigaVUE-OS v5.0", "enabled": true, "name": "dns_bits", "term": "gigamon.dnsBits"}
    2. Notice the term having the word gigamon. All of those objects need copied. There are 61 fields.
    3. Find the term "netflow:elements" in the fields array.
    4. Place a comma after this term object.
    5. Paste the copied gigamon fields after the netflow:elements term.
    6. NOTE: THIS FILE IS IN JSON. Please check for proper formatting.
  5. GigaSMART occasionally sends data elements encoded in ASN.1 to Stream. To avoid excessive license usage, apply the following fix.
    1. On the system indexing the Stream data (typically where splunk_app_stream is installed), edit the $SPLUNK_HOME/etc/apps/splunk_app_stream/local/props.conf file.
    2. For the stanza [stream:netflow], add this line of configuration: SEDCMD-remove_nulls_gigamon = s/\\u0000//g. If the stanza doesn't exist, create it.
    3. This SEDCMD will remove any data that cannot be decoded correctly.
  6. Restart Splunk.
  7. Configure Stream via the steps at Stream Configuration.

Stream Configuration ::stream_config::

Full and complete documentation of latest Stream Configuration is located at docs.splunk.com. Instructions for Stream 7.1.0 is available at Stream 7.1.0 - User Manual - Configure Streams.

  1. Navigate to the Splunk App For Stream
  2. Use the navigation bar: Configuration -> Configure Streams
  3. In the top right of the dashboard, click New Stream -> Metadata Stream
    1. ( Full Documentation here)
  4. Basic Info
    1. Protocol: Netflow
    2. Name: your source name
    3. Click Next
  5. Aggregation ( Full documentation here)
    1. Click Next to accept the default of No
  6. Fields ( Full documentation here)
    1. Deselect the fields that you do not want to collect
    2. Click Next
  7. Filters ( Full documentation here)
    1. Create a filter to limit the data that is collected
    2. Click Next
  8. Settings
    1. Select an index to collect data to
    2. Select the status
    3. Click Next
  9. Groups
    1. Select a forwarder group (if applicable)
    2. Click Create Stream
  10. Done
    1. Click Done

Configure GigaSMART

Now that Stream is configured to accept Gigamon Elements, configure the Gigamon appliance that has the GigaSMART card installed. Gigamon provides documentation to configure netflow and metadata generation, and there is also a third-party step-by-step tutorial that may help configure the GigaSMART.

NOTE: There is an option within the GigaSMART Exporter configuration to set the Template Refresh Interval. This setting should be set to AT MOST 2 minutes.

Distributed Stream Deployment

If you are pushing Splunk_TA_stream to a universal forwarder in a distributed deployment, then you must make the same changes for Splunk_TA_stream above in the deployment-apps folder

Stream Upgrade Notes

  • When upgrading Stream:

    • the splunk_app_stream vocabulary file will be deleted. This needs restored with the correct version of the vocab.
      • Follow Step 3 in the Manual Configuration.
    • the splunk_app_stream stream file will be deleted. This needs restored with the correct version of the stream.
      • Follow Step 4 in the Manual Configuration.
    • the change in streams (metadata vs packet) [Splunk Stream 7.0.1 -> 7.1.x] requires the deletion and re-addition of the configured netflow stream.
  • If the netflow stream file is changed, any existing streams using that stream configuration need to be deleted and re-added.

USER GUIDE

Data types

This app provides the index-time and search-time knowledge for the following types of data:

  1. Gigamon IANA PEN Elements as sent via GigaSMART over Netflow IPFIX.

Lookups

The following lookups are provided as a part of the Gigamon IPFIX Metadata Application For Splunk app.

  • port_list
    • This lookup provides descriptions for most common port numbers.
  • http_status
    • This lookup provides descriptions for most HTTP event codes.
  • dns_responses
    • This lookup provides descriptions for DNS reply code ids.
  • protocol_numbers
    • This lookup provides descriptions for most common protocol numbers.

Event Generator

Gigamon IPFIX Metadata Application For Splunk does make use of an event generator. This allows the product to display data, even when there are no inputs configured. Edit eventgen.conf for each stanza to "enable" the stanza.

gigamon_ipfix_http.sample

This generates relevant fields to the IPFIX IANA HTTP elements.

gigamon_ipfix_ssl.sample

This generates relevant fields to the IPFIX IANA SSL elements.

gigamon_ipfix_dns.sample

This generates relevant fields to the IPFIX IANA DNS elements.

Configure Gigamon IPFIX Metadata Application For Splunk

  • Install the App according to your environment (see steps above)
  • Navigate to the App
  • Edit the event type to point to the correct data for the netflow.
  • Click the Update Eventtype button, and the Save button.

Troubleshoot Gigamon IPFIX Metadata Application For Splunk

The best place to start troubleshooting Gigamon IPFIX Metadata Application For Splunk is to visit the Monitoring Console Health Check. There are 4 specific checks related to the Gigamon Stream configuration.
Click the "Start" button and then review the results.

If you are still having problems, use the Command line and run this command:

$SPLUNK_HOME/bin/splunk diag --collect app:GigamonIPFIXForSplunk

Send the generated diag file to Gigamon IPFIX Metadata Application For Splunk support.

Accelerations

Summary Indexing: None
Data Model Acceleration: None
Report Acceleration: None

Upgrade Gigamon IPFIX Metadata Application For Splunk

Upgrade Gigamon IPFIX Metadata Application For Splunk by re-installing into your environment per Splunk Documentation and your environment (see steps above).

Third-party software attributions

Gigamon IPFIX Metadata Application For Splunk incorporates the third-party software or libraries mentioned here

Release Notes

Version 1.1.0
Sept. 30, 2017

Version 0.9.1
June 19, 2017

v0.9.1 - Documentation Update Only.
v0.9.0 - Gigamon IPFIX for Splunk v0.9.0 provides the knowledge objects and documentation to configure Splunk Stream for the purposes of consuming Gigamon IANA IPFIX Custom Elements.

16
Installs
122
Downloads
Share Subscribe LOGIN TO DOWNLOAD

Subscribe Share

Splunk Certification Program

Splunk's App Certification program uses a specific set of criteria to evaluate the level of quality, usability and security your app offers to its users. In addition, we evaluate the documentation and support you offer to your app's users.

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 50GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
© 2005-2017 Splunk Inc. All rights reserved.
Splunk®, Splunk>®, Listen to Your Data®, The Engine for Machine Data®, Hunk®, Splunk Cloud™, Splunk Light™, SPL™ and Splunk MINT™ are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.