icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

We are working on something new...

A Fresh New Splunkbase
We are designing a New Splunkbase to improve search and discoverability of apps. Check out our new and improved features like Categories and Collections. New Splunkbase is currently in preview mode, as it is under active development. We welcome you to navigate New Splunkbase and give us feedback.
Log4Shell Vulnerability: Information and guidance for you. Get resources.

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading TA-Illumio
SHA256 checksum (ta-illumio_322.tgz) 5ccf7d0e67ed9a2586780adb65b035892581b3a7cf32c6ccffafb6b7d8da5d96 SHA256 checksum (ta-illumio_321.tgz) 99382ad43904cbbab5f0b48c61cb902dd8989fc2850f32b30ea5ac17ec10a4ad SHA256 checksum (ta-illumio_320.tgz) c3aed667b4aec9798ddd975944b78923fb49b7ba28b5ac293ddf5660c53c45c7 SHA256 checksum (ta-illumio_310.tgz) d84406078195c1e53ef1c403ed994f8b158e687443e108559a9c63c92a7ccd22 SHA256 checksum (ta-illumio_300.tgz) 54add9aa0e378683e2adfd606ae3d50f71085e3edee6c6b17d5ceb7ad7b3ee2f SHA256 checksum (ta-illumio_230.tgz) 3aa99e950ff419d0acd6eb089240d8fba831a58dcceea5db2de317865c23769a SHA256 checksum (ta-illumio_222.tgz) ab81f9c3f14851f1e3a6a90211675ab1373672862b9c62e256bc6e446845b6c1 SHA256 checksum (ta-illumio_221.tgz) 2f9e6ff969f7ea806cd254068fee544572c57f21a4d932d0c48892d8e5d36b95 SHA256 checksum (ta-illumio_220.tgz) 8a0df266d231ebe3138545496e192ad8b5699591a05727fe80e007765e7af3f5 SHA256 checksum (ta-illumio_210.tgz) c42d7c463aeaa5e6f1e22c8736f7a5f9b31feebf84f4005e90c2d9c0510c0fce SHA256 checksum (ta-illumio_201.tgz) 1c42fa234246ee3c5cc62f7ceb7a6785a507db50bff3a7c742f06c312032b61f SHA256 checksum (ta-illumio_200.tgz) 7dae5585f5a8b5a9d030d52422cd740018680aa00200e1de157a05e0b760c1dd SHA256 checksum (ta-illumio_113.tgz) 7d2b4510da6b3f10d4f74f3eeb450a371770f35ca7ee4d899028008c6a57fa29 SHA256 checksum (ta-illumio_112.tgz) 7af4d181bdc2b23487fc2fe8f9ba83fe903b2ac5be86fbbed86f475bb61ad765 SHA256 checksum (ta-illumio_102.tgz) 153b0e7ef127cc529883181b17aa3e46b54d5fa154fb5dad3824574e01835660 SHA256 checksum (ta-illumio_101.tgz) cbda6da82ee7d031d72197b7442d19f06753038789b673bf7a7d240b6ff7f4d3 SHA256 checksum (ta-illumio_100.tgz) cdd81cdbd305bc8ce790383366b5615d00476104c2b5b09bc927a84f5be29ec2
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

splunk

TA-Illumio

Splunk Cloud
Overview
Details
The Illumio Technology Add-On for Splunk enriches Illumio Policy Compute Engine (PCE) data with Common Information Model (CIM) field names, event types, and tags. This TA enables Illumio data to be easily used with Splunk Enterprise Security, Splunk App for PCI Compliance, etc.

TA-Illumio compatibility matrix
Ver 1.X -> Splunk 6 and Splunk 7 + PCE ver 17.1, 17.2 and 17.3 and 18.1
Ver 2.X -> Splunk 7 + PCE ver 18.2 (with Events 2.0 syslog messages), PCE ver 18.3, PCE 19.1 and PCE 19.3
Ver 3.0/3.1 -> Splunk 7 and Splunk 8 + PCE ver 18.2 (with Events 2.0 syslog messages), PCE ver 18.3, PCE 19.1 and PCE 19.3
Ver 3.2-> Splunk 7.3 and Splunk 8 + PCE ver 18.2 (with Events 2.0 syslog messages), PCE ver 18.3, PCE 19.1, PCE 19.3, PCE 20.1, and PCE 21.2


For dashboards with Illumio data, please install the Illumio App for Splunk available at https://splunkbase.splunk.com

OVERVIEW

  • The Illumio Add-on for Splunk integrates with the Illumio Policy Compute Engine (PCE). It enriches Illumio data with Common Information Model (CIM) fields and enables Illumio data to be easily used with Splunk Enterprise Security, Splunk App for PCI Compliance, etc.
  • For dashboards with Illumio data, please install the Illumio App for Splunk available at https://splunkbase.splunk.com
  • Version: 3.2.2
  • Supported Splunk versions are 8.1.x and 8.2.x
  • Supported PCE Versions are 17.1, 17.2, 17.3, 18.1, 18.2.0, 18.2.x, 18.3, 19.1, 19.3, 18.2.0, 18.2.x, 18.3, 19.1, 19.3, 18.2.0*, 18.2.x, 18.3, 19.1, 19.3, 20.1 and 21.2.x.
  • Supported SaaS PCE Version is 21.5.3-3.

Release Notes

  • Version 3.2.2

    • Improve support for SaaS PCE.
    • Fix SaaS Supercluster validation error on /health API endpoint resulting in missing content for SaaS PCE in
      /opt/splunk/etc/apps/TA-Illumio/local/inputs.conf
      /opt/splunk/etc/apps/IllumioAppForSplunl/local/inputs.conf
  • Version 3.2.1

    • Removed eventgen.conf from "Illumio Add-on for Splunk" package.
  • Version 3.2.0

    • Modified data collection code to support the supercluster.
    • Added supercluster_members.conf file to add members of the supercluster.
    • Added "leader_fqdn" field in events only if configured PCE is part of the supercluster.
    • Made port number field to be optional during input configuration..
    • Enhanced CIM field extractions.
  • Version 3.1.0

    • Modified data collection code to handle Service Unavailable error.
    • Changed the input created of type [tcp] to [tcp-ssl]
    • Extracted new fields for Illumio PCE health data.
  • Version 3.0.0

    • Splunk 8 Support.
    • Made Add-on Python23 compatible.
  • Version: 2.3.0

    • Changed API version from v1 to v2.
    • Added support of S3 data.
    • Added two API calls services and ip_lists for Alert Configuration dashboard.
    • Added some field extraction for Alert Configuration dashboard.
    • Changed time extraction and used timestamp field for _time.
  • Version: 2.2.2

    • Fixed the bug while saving the data input.
  • Version: 2.2.1

    • Extracted pce_fqdn field for illumio:pce:metadata source type.
    • Removed "IP Adress of PCE Node" field from Data Inputs page.
    • Added "Hostname of PCE Node" field on Data Inputs page.
  • Version: 2.2.0

    • Extracted new fields for source and destination labels.
    • Added encryption for "API Secret".
    • Added Validation for "Allowed port scanner Source IP addresses".
    • Removed "dnslookup" custom command.
  • Version: 2.1.0

    • Added support of Illumio PCE 18.3.1, 19.1
    • For Illumio Cloud data coming from S3, added support of JSON data format for illumio:pce and illumio:pce:collector source types.
    • Added test script to check the connection with Illumio server.
  • Version: 2.0.2

    • Added support of Illumio PCE 18.2.1, 18.2.2, 18.2.3
  • Version: 2.0.1

    • Fixed the issue of fqdn in host_details_lookup table when PCE URL contains special characters.
  • Version: 2.0.0

    • This version of TA (2.0.0) is only compatible with Illumio PCE 18.2.0
    • This version of TA (2.0.0) is not compatible with Illumio PCE 17.X

RECOMMENDED SYSTEM CONFIGURATION

  • Standard Splunk configuration of Search Head, Indexer, and Forwarder.

TOPOLOGY AND SETTING UP SPLUNK ENVIRONMENT

  • This app has been distributed in two parts.

    1) Add-on app, which listens for Syslog messages from Illumio PCE and collects Illumio metadata using REST API Calls.

    2) The main app for visualizing Illumio PCE data.

  • This App can be set up in two ways:

1) Standalone Mode:

Install the main app and Add-on app.
  • Here both the app resides on a single machine.
  • The main app uses the data collected by Add-on app and builds dashboard on it.

2) Distributed Environment:

a) With heavy forwarder

Install the main app and Add-on app on search head. Add-on app on heavy forwarder.

* Configure Add-on app on heavy forwarder.
* The main app on search head uses the received data and builds dashboards on it.

b) With Splunk Universal Forwarder

Install the main app and Add-on app on search head. Add-on app on universal forwarder and indexer.

1. Configure Splunk Universal Forwarder to collect data from Illumio Server.
    * TCP SSL configuration
        * Create TCP-SSL stanza in $SPLUNK_HOME/etc/system/local/inputs.conf file.
            ```
            [tcp-ssl://<PORT>]
            index=<INDEX-NAME>
            sourcetype=illumio:pce
            ```              
        * Then Create a SSL stanza in $SPLUNK_HOME/etc/system/local/inputs.conf file.
            ```
            [SSL]
            serverCert = <path>
            sslPassword = <password>
            ```

            * To use Splunk default certificate add 
                ```
                [SSL]
                serverCert = $SPLUNK_HOME/etc/auth/server.pem
                sslPassword can be found in $SPLUNK_HOME/etc/system/local/server.conf or $SPLUNK_HOME/etc/system/default/server.conf under [sslConfig]
                stanza
                ```
        * Restart Splunk.

    * If you are using on-prem Splunk instance and you want to configure TCP instead of TCP-SSL follow below steps:
        * Remove -SSL from TCP-SSL stanza in $SPLUNK_HOME/etc/system/local/inputs.conf file.
        * Restart Splunk.


2. Configure the Splunk Universal Forwarder to send the data to Splunk Indexer.
    * Execute below command on SUF.
         * $SPLUNK_HOME/bin/splunk add forward-server <IP>:<PORT> (Splunk Indexer IP and Listening Port)

3. Configure Splunk Indexer to receive data from SUF.
    * Create below stanza in $SPLUNK_HOME/etc/system/local/inputs.conf file.
        ```
        [splunktcp://<PORT>]
        ```

INSTALLATION IN SPLUNK CLOUD

  • Same as on-premise setup.

INSTALLATION OF APP

  • This app can be installed through UI using "Manage Apps" or from the command line using the following command:

    sh $SPLUNK_HOME/bin/splunk install app $PATH_TO_SPL/TA-Illumio.spl/

  • User can directly extract SPL file into $SPLUNK_HOME/etc/apps/ folder.

USING SAMPLE DATA

  • This app contains sample data in "sample" folder for ILLUMIO PCE 18.2.0, PCE 18.2.3 and PCE 19.1 which can be used to test visualization dashboards of Illumio App for Splunk application by populating sample data using SA-Eventgen app. Sample event data will be generated in index=main by default.
  • To collect sample data, the user needs to place eventgen.conf at the following location:

    • $SPLUNK_HOME/etc/apps/TA-Illumio/local/eventgen.conf
  • To get the required eventgen.conf, contact over provided support email below.

Upgrade

From v3.2.1 to v3.2.2

  • No steps require.

From v3.2.0 to v3.2.1

  • No steps require.

From v3.1.0 to v3.2.0

  • No steps require.

From v3.0.0 to v3.1.0

  • No steps require.

From v2.2.0 or below to 2.2.1

  • If you are using "IP Address of PCE Node" field of Data Inputs page for Private IP addresses then follow the below steps after upgrading to version 2.2.1:
  1. Go to Settings->Data Inputs->Illumio
  2. Select the input name which had private ip addresses configured.
  3. Add hostname corresponding to configured ip addresses in "Hostname of PCE Node" field.
  4. Update the input.

From v2.0.1 to v2.1.0 or above

  • If you are using custom index for ingesting Illumio data into Splunk then kindly update "illumio_index" event type by following the below steps:
  1. Go to Settings->Event types
  2. Search for 'illumio_index' event type.
  3. Edit search string for 'illumio_index' to index="custome_index_name".

APPLICATION SETUP

  • After installation:
  1. Go to Settings->Data inputs->Illumio
  2. Enter all required information.
  3. For TCP SSL configuration follow the below steps:

    1) Create a SSL stanza in $SPLUNK_HOME/etc/apps/<app_name>/local/inputs.conf file.

        [SSL]
        serverCert = <path>
        sslPassword = <password>
    

    2) To use Splunk default certificate add

        [SSL]
        serverCert = $SPLUNK_HOME/etc/auth/server.pem
        sslPassword can be found in $SPLUNK_HOME/etc/system/local/server.conf or $SPLUNK_HOME/etc/system/default/server.conf under [sslConfig]
        stanza
    

    3) Restart Splunk.

  4. If you want to configure TCP instead of TCP-SSL follow below steps:

    1) Remove -SSL from TCP-SSL stanza in $SPLUNK_HOME/etc/system/local/inputs.conf file.
    2) Restart Splunk.

  5. If you want to collect data over secure network with certificate check follow below steps:

    Steps to get root certificate:

    1) Copy the URL of Illumio and paste it into your browser. These instructions are for Firefox.
    2) Click View Page Info > Security > View Certificate > Details.
    3) Click on the root certificate.
    4) Export PEM file and use it in the configuration.

  • Note: By default, all data is indexed to the main index. If you are using Illumio App for Splunk for visualization purpose and want to use a custom index then kindly update "illumio_get_index" macro in Illumio App for Splunk.

APPLICATION SETUP for SaaS PCE:

  • After installation:
  1. Go to Settings->Data inputs->Illumio
  2. Enter all required information.
  3. Users can create AWS S3 input with the help of the following link: How to create AWS S3 Inputs.
  4. SaaS users need to disable 'Illumio_Host_Details' and enable 'Illumio_Host_Details_S3' savedsearch in order to populate dashboards with SaaS PCE data.

    NOTE : Some dashboards/panels in the Illumio app may not populate when input is configured with SaaS PCE. Please refer to App's readme to check the list of affected dashboards.

Custom Alert Action

  • This application will add custom alert action named Mark Workload Quarantine Custom Alert Action. The user can configure this action on saved search. The user can pass following parameters to Mark Workload Quarantine:
    1) workload_uuid: workload_uuid in the incident.

TEST ILLUMIO SERVER CONNECTION

  • Follow the below steps to check the connection with Illumio Server.

    • Go to path $SPLUNK_HOME/etc/apps/TA-Illumio/bin
    • Run illumio_connection_test.py file with splunk cmd using this command: $SPLUNK_HOME/bin/splunk cmd python illumio_connection_test.py
    • Enter PCE URL, Username, Secret Key and Cert Path.
    • Appropriate connection Message will be printed on console.

TROUBLESHOOTING

  • Environment variable SPLUNK_HOME must be set.
  • To troubleshoot Illumio application, check $SPLUNK_HOME/var/log/TA-Illumio/ta-illumio.log file.
  • If data input is not getting saved then to check connection follow the steps described under "TEST ILLUMIO SERVER CONNECTION" section.
  • If dashboards are not populating in the Illumio app when input is configured with SaaS PCE:
    • Make sure that you have configured AWS S3 input properly and data is being collected.

UNINSTALL ADD-ON

To uninstall an add-on, user can follow below steps: SSH to the Splunk instance -> Go to folder apps ($SPLUNK_HOME/etc/apps) -> Remove the TA-Illumio folder from apps directory -> Restart Splunk

EULA

SUPPORT

Copyright 2021 Illumio, Inc. All rights reserved.

Release Notes

Version 3.2.2
May 4, 2022

Fix SaaS Supercluster validation error introduced in 3.2.0 on /health API enpoint, resulting in missing content for
/opt/splunk/etc/apps/TA-Illumio/local/inputs.conf
/opt/splunk/etc/apps/IllumioAppForSplunl/local/inputs.conf

Version 3.2.1
Nov. 17, 2021

-Removed "eventgen.conf" file, which was used to generate dummy data Splunk for demos.

Version 3.2.0
Nov. 11, 2021
  • Modified data collection code to support Illumio Supercluster.
    • Added supercluster_members.conf file to add members of the supercluster.
    • Added "leader_fqdn" field in events only if configured PCE is part of the supercluster.
    • Made port number field to be optional during input configuration..
    • Enhanced CIM field extractions.
Version 3.1.0
July 18, 2020

Illumio Add-on For Splunk v3.1.0
Made TCP-SSL as a default to resolve the Splunk Cloud issue
Added python.version flag to resolve the Splunk Cloud issue
Modified data collection code to handle 503 errors changes
Removed extra forward slash from the API call
* Compatibility with Illumio v20.1, v19.3.2 and 18.2.5

Version 3.0.0
Jan. 25, 2020

Splunk v8 Support
Made Add-on Python23 compatible

Version 2.3.0
Nov. 26, 2019

Changed Illumio API version from v1 to v2
Added support of ingesting data from S3
Added two API calls, services and ip_lists, for Alert Configuration dashboard
Added some field extraction for Alert Configuration dashboard
Changed time extraction and used timestamp field for _time

Version 2.2.2
Sept. 20, 2019

Fixed the issue with saving the new data input on Data Inputs page.

Version 2.2.1
Sept. 6, 2019

Extracted pce_fqdn field for "illumio:pce:metadata" source type
Removed "IP Adress of PCE Node" field from Data Inputs page
Added "Hostname of PCE Node" field on Data Inputs page

Version 2.2.0
July 26, 2019

Extracted new fields for source and destination labels
Added encryption for "API Secret"
Added Validation for "Allowed port scanner Source IP addresses"
Removed "dnslookup" custom command
Added support of both string and integer for PD field
Documented steps of configuration for SUF

Version 2.1.0
June 7, 2019

Certified Addon/App with Illumio v18.3.1 and v19.1
Added support of JSON data format for Illumio Cloud data
Added test script to check the connection with Illumio server
Updated the search time of single value panels to last 60 minutes with a trend line of 24 hours in Security Operations dashboard
Minor Bug Fixes in the panels "Top Workloads with" and "Managed VEN by Operating System"
Fixed the bug related to label filter not considering label type while searching for traffic data in Security Operations dashboard

Version 2.0.1
April 17, 2019

Fixed the issue of fqdn in host_details_lookup table when PCE URL contains special characters.

Version 2.0.0
Sept. 19, 2018

Support for PCE versions 18.1 and 18.2

Version 1.1.3
Jan. 10, 2018
Version 1.1.2
Dec. 2, 2017

Adaptive Response Action
Accept Public/Private IPs of PCE as Modular Input.
PCE Hostnames now available with Syslog Data.
App cert Failure Update for Checking the batch input
PCE V17.2 Support
Minor Bug Fixes

Version 1.0.2
Sept. 12, 2017

Alert Action

Version 1.0.1
Aug. 22, 2017
Version 1.0.0
July 27, 2017

The Illumio Technology Add-On for Splunk enriches Illumio Policy Compute Engine (PCE) data with Common Information Model (CIM) field names, event types and tags.
This add-on enables Illumio PCE data to be used with Splunk Enterprise Security, Splunk App for PCI Compliance, etc.


Subscribe Share

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
Splunk, Splunk>,Turn Data Into Doing, Data-to-Everything, and D2E are trademarks or registered trademarks of Splunk Inc. in the United States and other countries. All other brand names,product names,or trademarks belong to their respective owners.