ABOUT THIS APP
Druva Add-on for Splunk helps in ingesting Druva events in Splunk.
REQUIREMENTS
Topology and Setting up Splunk Environment
- This app has been distributed in two parts.
- Add-on app, which helps in ingesting events from Druva into Splunk
- Main app for visualizing events occuring in Druva.
- This App setup is same for both distributed and standalone environment:
- Configure Add-on app on Search head.
- Install the Main app on search head.
- Installation in Splunk Cloud
- It is same as on-premise Splunk.
Installation of App
- This app can be installed through UI using "Manage Apps" or extract zip file directly into /opt/splunk/etc/apps/ folder.
Configuration of the Add-on
- Go to Druva Add-on For Splunk
- Click on the Configuration tab > Add to add a new account and create a new input.
- Enter the following details in the Add Account pop-up:
- Account Name
- Cloud Type
- Anomaly Detection: Select the source for which you want to view the events. For example, inSync Events for inSync and Ransomware Recovery events for Unusual Data Activity (UDA) events.
- Client ID
- Client Secret
Druva supports OAuth 2.0. To begin the Authorization process, Please select CID and secret from the Druva Portal and supply as an input to the configuration. Click on Add
to save the configuration and create a new Input.
- Click Add to save the configuration
- Navigate to the Input tab > Create New Input to create a new Input. On the Add Druva pop-up, enter and provide the requested details, and click Add to complete the configuration.
Test your Install
- After the configuration of input is complete, the input should fetch the events. Use the following query to verify if the events are being ingested.
search `druva_get_index`
Logging of the App
- Monitor file
$SPLUNK_HOME/var/log/splunk/ta_druva_druva.log
to track the events of Add-on.