icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading Ivanti IDAC Add-On for Splunk
SHA256 checksum (ivanti-idac-add-on-for-splunk_102.tgz) 124cc7d1a4efb9f8862ccfbf9db24a18fb5704c1de45328dc118c58dabe20d4b SHA256 checksum (ivanti-idac-add-on-for-splunk_101.tgz) 40c62ac53995b8a51a0d46facc1e2961ac3b965d706f55ad0562253ba34c9560
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

Ivanti IDAC Add-On for Splunk

Splunk Cloud
This app is NOT supported by Splunk. Please read about what that means for you here.
Overview
Details
The Ivanti Device and Application Control Add-on for Splunk enables a Splunk administrator to ingest data from Ivanti Device and Application Control (IDAC).

You can ingest block events, shadowing activity, admin actions and agent status updates from IDAC via Windows event logs or json logs. You can view the data using the pre-built dashboards included with the Ivanti Device and Application Control App for Splunk.

This add-on provides the props.conf properties required to parse both json and Windows event log-based inputs to use with the corresponding IDAC Splunk app.

The add-on was developed and tested against IDAC 5.3, but should support ingestion of logs from any version of IDAC that supports SIEM logging using adc_alp_[32|64].dll

Release Notes
Version 1.0.0
May 7, 2020
Initial release

Overview

Ivanti have developed an integration for IDAC and Splunk to provide details of block, shadowing, admin audit and agent check-in activity.

This Technology Add-On (TA) provides the props.conf properties required to parse both json and Windows event log-based inputs to use with the corresponding IDAC Splunk app.

An accompanying app - the Ivanti IDAC App for Splunk (https://splunkbase.splunk.com/app/5533/) provides dashboards that visualise the retrieved data .

Requirements

The add-on was developed and tested against IDAC 5.3, but should support ingestion of logs from any version of IDAC that supports SIEM logging using adc_alp_[32|64].dll

Installation

For ingestion of IDAC event data, install the TA where Splunk will first parse incoming data - heavy forwarders, or indexers if logs are being sent directly from a Splunk Universal Forwarder.

Install the Ivanti IDAC App for Splunk on search heads for dashboards and CIM-compliant field aliases.

Configuration

To enable SIEM logging on the IDAC server, follow Ivanti's documented instructions (https://forums.ivanti.com/s/article/Syslog-and-Windows-Event-Log-redirection-to-a-3rd-party-SIEM?language=en_US) - or the abridged version that follows.

Take the architecture-specific DLL (adc_alp_32.dll or adc_alp_64.dll) from one of the following two locations in the product installation folders, depending on whether you want to log to a flat file (json) or Windows event log ('wel'):

  • DeviceAndApplicationControl <n.n>\ext\siem\wel
  • DeviceAndApplicationControl <n.n>\ext\siem\json

Copy the relevant DLL to the location where IDAC's service (sxs.exe) is running, for example: c:\windows\syswow64. If using json logging, create a configuration file (example below) and restart the service.

Example configuration file - named adc_alp_<architecture>.config and located in the same folder as adc_alp_[architecture].dll:

{
  "folder": "c:\\IDAC_logs",
  "filename":
  {
    "prefix": "IDAC_Log_",
    "extension": "json"
  }
}

As per Ivanti's documented guidance, 'There is no cleaning done by the DLL, the consumer will need to take care of deleting the files when processed'.

To ingest logs, deploy an inputs.conf to an IDAC server with monitor stanzas for either the Application event log or the file path if using json-based logging. Example (disabled) inputs.conf entries are provided in the TA's /defaults folder, and shown (enabled) below:

[monitor://C:\idac_logs\*.json]
disabled = 0
index = idac
sourcetype = ivanti:idac:json

[WinEventLog://Application]
renderXml = 1
disabled = 0
start_from = oldest
current_only = 0
whitelist = SourceName="idac_siem_sxs"
sourcetype = ivanti:idac:wel
source=ivanti:idac:wel:application
index = idac

Notes:
Ensure that the target index is correct - if 'idac' doesn't exist, then create it or choose a different index.
If already ingesting the Application event log from the IDAC server, the use of transforms.conf may be required on a Heavy Forwarder or indexer to dynamically reassign the sourcetype to ivanti:idac:wel

For further guidance around ingestion refer to the Splunk 'Getting Data In' (https://docs.splunk.com/Documentation/Splunk/latest/Data/Getstartedwithgettingdatain) or Cloud-focused GDI documentation (https://docs.splunk.com/Documentation/SplunkCloud/latest/Admin/IntroGDI).

Troubleshooting

  1. Confirm events are being logged locally on the IDAC server. If no event log files (json) or events (Windows event log option) are generated, try using Sysinternals' Process Monitor to confirm adc_alp_*.dll is loaded into sxs.exe. If necessary, engage Ivanti Support.
  2. Confirm the Splunk Universal Forwarder is installed on the IDAC server, has an inputs.conf stanza configured to monitor the correct json log file location - or the local Application event log.
  3. Confirm that events are being received by Splunk from the IDAC server - by checking the _internal index for values from the IDAC host, if nothing is appearing the IDAC target index

Support

For support, please raise a support call with Ivanti: https://www.ivanti.com.au/support/contact

Products Supported

  • IDAC 5.3 onwards

Authors

Intalock (www.intalock.com.au)

  • Greg Ford

Release Notes

Version 1.0.1

v1.0.1

  • First release

Release Notes

Version 1.0.2
May 6, 2021

Version 1.0.1
May 6, 2021

0
Installs
24
Downloads
Share Subscribe LOGIN TO DOWNLOAD

Subscribe Share

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
Splunk, Splunk>,Turn Data Into Doing, Data-to-Everything, and D2E are trademarks or registered trademarks of Splunk Inc. in the United States and other countries. All other brand names,product names,or trademarks belong to their respective owners.