Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading LANGuardian App for Splunk
SHA256 checksum (languardian-app-for-splunk_100.tgz) 6c79b389904263a646b2ccf5b9dac3f3b87c340407d88bec7a04827d50ff460a
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

LANGuardian App for Splunk

Splunk Certified
Overview
Details
LANGuardian App For Splunk consumes individual reports via API.

Table of Contents

OVERVIEW

  • About LANGuardian App For Splunk
  • Release notes
  • Performance benchmarks
  • Support and resources

INSTALLATION

  • Hardware and Software Requirements
  • Installation steps
  • Deploy to a Single Server Instance
  • Deploy to a Distributed Deployment
  • Deploy to a Distributed Deployment with Search Head Clustering
  • Deploy to Splunk Cloud

USER GUIDE

  • Data types
  • Lookups
  • Configure LANGuardian App For Splunk
  • Troubleshooting
  • Upgrade

OVERVIEW

About LANGuardian App For Splunk

About LANGuardian App For Splunk
Developer Aplura, LLC
App Version 1.0.0
App Build 51
TA TA-LANGuardianAppForSplunk
IA IA-LANGuardianAppForSplunk
Folder Name LANGuardianAppForSplunk
Vendor Products LANGuardian
Has index-time operations true
Create an index false
Implements summarization false

LANGuardian App For Splunk consumes individual reports via API for integration.

Scripts and binaries
  • bin/languardian.py
    • The Modular Input use to communicate and consume the API data.
  • bin/ModularInput.py
    • The Modular Input Class to consume and populate Splunk with data.
  • bin/RESTClient.py
    • The REST Client Base Class to interact with the LANGuardian
  • Utilities.py
    • This class provides administrative interactions to the Splunk platform.

Release notes

These are the issues that were closed for version 1.0.0.

  • Test and QA

    • [NLG-15] - Testing for Splunk 6.4 and 6.5, 6.6
  • Bug

    • [NLG-16] - Modular Input div stuck until tab clicked
    • [NLG-27] - Password returned URI encoded.
    • [NLG-28] - No Schema Supplied
    • [NLG-29] - LANGuardian and Splunk Timezones Don't Match
    • [NLG-30] - Changes to configuration not detected.
  • New Feature

    • [NLG-3] - Documentation
    • [NLG-4] - Create Modular Input
    • [NLG-5] - Application Icons
    • [NLG-6] - Modular Input Configuration Module
    • [NLG-7] - Checklist.conf For LANGuardian / App Error View
    • [NLG-8] - App Overview Dashboard
    • [NLG-9] - Application Detail View
    • [NLG-10] - Syslog Parsing
    • [NLG-11] - Sort keys in Netfort output
    • [NLG-13] - Input panel should ask for a destination index
    • [NLG-14] - Inputs configuration should have select / deselect all buttons
    • [NLG-19] - Data Gen
    • [NLG-21] - Update Documentation

** Improvement
* [NLG-17] - Re-organize Navigation
* [NLG-18] - Default to select all
* [NLG-22] - Configure Modular Input to support REST proxy
* [NLG-26] - Update interval time
* [NLG-32] - Remove Report

About this release

Version 1.0.0 (51) of LANGuardian App For Splunk is compatible with:

Item Value
Splunk Enterprise versions 6.5, 6.6
CIM 4.8
Platforms <platform independent="">
Vendor Products LANGuardian
Fixed issues

Version 1.0.0 (51) of LANGuardian App For Splunk fixes the following issues:

  • No Fixed Issues. If you find an error, please contact support.
Known issues

Version 1.0.0 (51) of LANGuardian App For Splunk has the following known issues:

  • The installation file /appserver/addons/IA-LANGuardianAppForSplunk.spl is missing the props.conf and transforms.conf files in the default folder. As a workaround you can pull these files from the TA-LANGuardianAppForSplunk/default/props.conf and TA-LANGuardianForSplunk/default/transforms.conf or install the TA-LANGuardianAppForSplunk app on the IA.
Support and resources

Questions and answers

Access questions and answers specific to LANGuardian App For Splunk at https://answers.splunk.com.

Support

Support Offered: Yes
Support Email: splunkapp@netfort.com

Please visit https://answers.splunk.com, and ask your question regarding LANGuardian App For Splunk. Please tag your question with the correct App Tag, and your question will be attended to.

INSTALLATION AND CONFIGURATION

Software requirements

To function properly, LANGuardian App For Splunk requires the following software:

  • Splunk 6.4, 6.5, 6.6
  • LANGuardian 14.1.2 or later and reports version 512. See LANGuardian Software

Splunk Enterprise system requirements

Because this add-on runs on Splunk Enterprise, all of the Splunk Enterprise system requirements apply.

Download

Download LANGuardian App For Splunk at http://splunkbase.splunk.com

Installation steps

This app has the following inputs pre-configured:

None.

Deploy to single server instance

Follow these steps to install the app in a single server instance of Splunk Enterprise:

  1. Download the LANGuardian App For Splunk package from https://splunkbase.splunk.com.
  2. Install the App via the recommended installation methods (CLI, Web GUI)
  3. Restart Splunk.
  4. Configure the Modular Input with the required settings.
Deploy to distributed deployment

Install to search head

  1. Download the LANGuardian App For Splunk package from https://splunkbase.splunk.com.
  2. Install the App via the recommended installation methods (CLI, Web GUI, Deployment Server)
  3. Do NOT configure a Modular Input, unless there is only 1 (one) single Search Head.

Install to indexers

  1. Download the LANGuardian App For Splunk package from https://splunkbase.splunk.com.
  2. Untar the package and locate the TA (Technology Add-On) located in "LANGuardianAppForSplunk/appserver/addons". The package will end in ".spl" and should be labeled "TA-LANGuardianAppForSplunk".
  3. Install "TA-LANGuardianAppForSplunk" onto the indexers per your environment.

Install to universal forwarders

  1. There is no installation to Universal Forwarders.

Install to Heavy Forwarders
1. Download the LANGuardian App For Splunk package from https://splunkbase.splunk.com.
1. Untar the package and locate the IA (Input Add-On) located in "LANGuardianAppForSplunk/appserver/addons". The package will end in ".spl" and should be labeled "IA-LANGuardianAppForSplunk".
1. Install "IA-LANGuardianAppForSplunk" onto a heavy forwarder in your environment.
1. Configure the Modular Input with the required settings.

Deploy to distributed deployment with Search Head Clustering
1. Place the App into the "deploy_apps" folder on the Deployer Server.
2. Follow the instructions to install to a Heavy Forwarder. This Step is REQUIRED in a clustered SH environment!
3. Deploy the App to the Search Head Cluster. DO NOT install "IA-LANGuardianAppForSplunk" to the Cluster!

Deploy to Splunk Cloud

  1. Instruct the Splunk Cloud Support team to follow the instructions above that matches the Cloud environment.

USER GUIDE

Data types

This app provides the index-time and search-time knowledge for the following types of data:

Available reports:

  • Name - RID
  • NetBios/DNS Resolv Table (Inventory) - 1041
  • Bittorrent Table - 1010
  • DNS MX Table - 1007
  • Ethernet Flows Table - 1030
  • IDS Table - 1003
  • IP Flows Table - 1000
  • MAC Info Table (Inventory) - 1042
  • MSSQL Table - 1016
  • Netscans Table - 1002
  • NFS Table - 1018
  • OS Table (Inventory) - 1040
  • Portscan Table - 1006
  • Proxy Flows Table - 1031
  • Service Inspector Table - 1008
  • SMTP Table - 1004
  • User Info Table (Inventory) - 1043
  • User Login Table - 1044
  • User Agent Table - 1045
  • Volmeter Table - 1005
  • Web Access Table - 1001
  • Windows Fileshare Table - 1009

  • This data feed is the result of calls to the LANGuardian API. If you aren't receiving events check the modular input configuration to verify the event types specified

Lookups

LANGuardian App For Splunk contains no lookup files.

Event Generator

LANGuardian App For Splunk has the ability to use of an event generator. This allows the product to display data, when there are no inputs configured.

There are five sample event files supplied for event generation. These samples are found in the samples folder of the app and are:

  • report_1000.sample
  • report_1001.sample
  • report_1004.sample
  • report_1009.sample
  • report_1044.sample

NOTE: To generate events the Eventgen app must be installed. The app and instructions can be found at https://splunkbase.splunk.com/app/1924/. This app should not be installed on a production system unless you understand the ramifications of generated data being mixed with production data. It is important to realize that unless the eventgen.conf file is modified data will be put in the main index.

Configure LANGuardian App For Splunk

  • Install the App according to your environment (see steps above)
  • Navigate to "App > LANGuardian App For Splunk > Administration > Application Configuration"

Application Configuration Dashboard

To configure the LANGuardian application you should start on the Application Configuration page ("Administration > Application Configuration")*[]:

Application Configuration

On this screen you can set a flag that specifies that the application is configured. In the future there will be additional configurations available.

Proxy Configuration

If you have configured a proxy server you can view the configuration under this tab. These are proxy server configurations that are being used by existing modular inputs for the LANGuardian application. You can also delete existing proxy configurations on this tab.

Encrypted Credentials

You can view/delete existing credentials on this tab. These are credentials that are being used by existing modular inputs in the LANGuardian application. These credentials are the credentials used to connect to LANGuardian appliances.

Modular Inputs

On this screen you can view and make any changes to existing modular inputs. Once you are done you will need to press "Save" to apply your changes.

Creating New Proxy Configurations

If you need to use a proxy as part of the connection to the LANGuardian appliance configure it here.

  • To create a new proxy server configuration, click the Create New Proxy Configuration button and fill in the following fields:
    • Proxy Name: Name for the proxy configuration. This name will be used as the proxy name in the modular input configuration.
    • Host: Proxy host name or IP.
    • Port: Port used to connect to the proxy server.
    • Username: Username used to connect to the proxy server.
    • Password: Password for the username specified above.
    • Use SSL: Should SSL be used for the proxy configuration?

Creating New Credentials

By default creating a new modular input with a username and password specified will create the necessary encrypted credentials. However if you want to create encrypted credentials manually follow this process:

  • To create a new encrypted credential, click the Create New Credential button and fill in with the appropriate username and password.
  • The realm is the application name where the encrypted credential is created + the username.

NOTE: By default creating a new modular input will automatically create a new encrypted credential so this process is not necessary unless you need a new credential for another purpose.

Creating New Modular Inputs

NOTE: You will need to configure a new modular input for each appliance

  • To create a new data input, click the Create New Modular Input button and fill in the following fields. Those with a red asterisk on the screen are required.
  • Modular Input Name: Name for the data input configuration.
  • Hostname: The hostname or IP address of the LANGuardian appliance to receive data from.
  • Username: The username used to connect to the appliance.
  • Password: The password for the previously specified username.
  • Interval: The number of seconds indicate how often the input will poll for new data. This setting must be at least 60.
  • Toggle all reports: Check to select all reports.
  • Report IDs: List of reports available on the LANGuardian appliance. Check the report if you wish to pull event data.
  • Custom Report IDs: Enter report IDs (comma-separated list) for reports that are not listed above but may have been user created.
  • Use Proxy: Indicates if a proxy should be use for communication with the LANGuardian appliance.
  • Proxy Name: Enter the name of the proxy stanza to use with the input.
  • Custom Report IDs: A comma seperated list of custom report IDs to be consumed by the data input.
  • Set Sourcetype: Sets the sourcetype for events collected by this data input. Changing this option from automatic may have negative effects on this app as a whole.
  • Host: Sets the hostname to assign to data being collected by this input. It overwrites what is indicated by the data being collected.
  • Index: This sets the index for data to be written to. This setting should be changed from default, which normally writes to the main index, to a specified index for best performance.

  • After creating the modular input you will need to disable/re-enable the input in "Settings > Data Inputs > LANGuardian App For Splunk" to activate the input.

NOTE: When configuring the modular input through the Application Configuration dashboard, the password is automatically encrypted into the credential store. If you need to change the credential, create a new credential, and reference the host/user pair in the modular input configuration. An encrypted credential is required for this Splunk App.

Report Acceleration

None

Data Model Acceleration

None

Summary Indexing

None

Troubleshoot LANGuardian App For Splunk

The best place to start troubleshooting LANGuardian App For Splunk is using the Application Health Overview dashboard under the Administration dropdown. There you will find several panels with information related to errors in the LANGuardian App For Splunk app.

Another troubleshooting method for the LANGuardian App For Splunk app is using this search:

sourcetype=LANGuardianAppForSplunk:error

Upgrade LANGuardian App For Splunk

Upgrade LANGuardian App For Splunk by re-installing into your environment per Splunk Documentation and your environment (see steps above).

Third-party software attributions

Please see README in app for full attributions.

Release Notes

Version 1.0.0
June 30, 2017

LANGuardian App For Splunk consumes individual reports via API from Netfort's LANGuardian.

1
Install
29
Downloads
Share Subscribe LOGIN TO DOWNLOAD

Subscribe Share

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 50GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
© 2005-2018 Splunk Inc. All rights reserved.
Splunk®, Splunk>®, Listen to Your Data®, The Engine for Machine Data®, Hunk®, Splunk Cloud™, Splunk Light™, SPL™ and Splunk MINT™ are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.