ObserveIT Connector

 

Installation and Setup

To set up this app correctly, we’ll install Splunk’s “Universal Forwarder” on the host where ObserveIT Enterprise or ObserveIT Xpress is running. Also, we’ll configure that “Universal Forwarder” to forward the data in real-time from that host to Splunk.

We will make some assumptions as follows:

  1. You have already installed Splunk Enterprise (Note that the ObserveIT Connector app does not work with Splunk Light).
  2. You want to set up the solution to have the data coming in in real-time. (If instead you prefer to batch-load some data, this is quite easy but contact Sideview for assistance.
  3. You are using distributed search in Splunk, ie that you have one or more Splunk Indexer instances. ( If instead you are setting up the solution to run on only a single standalone Splunk Server, you can skip everything that is talking about the “TA” app and simply configure the UF to point directly to your single instance).
  4. You have only one “Search Head” instance. ( If instead you are using Search Head Clustering, that is fine but be aware that everything we say to deploy to the Search Head will have to be deployed to the Search Head Cluster instead).

Here are the installation and setup steps:

  1. Get the apps
    Navigate to http://sideviewapps.com/apps/observeit-connector and use the “Download Trial” link to download the ObserveIT Connector app. Also navigate to http://sideviewapps.com/apps/sideview-utils/ and click the “Download Full Version” link there to download the “Sideview Utils” app. Note that both apps will come as *.spl files.  Just save them to your desktop for now.
  2. Install the main apps
    Log into the Splunk user interface on your Search Head as an admin user. In the Apps menu at the top left, select “Manage Apps”, then on the next page click “Install App From File”.  Using the form on the next page upload the two *.spl files one by one (the order does not matter). After the second app is uploaded, follow the prompt to restart the Splunk server. If you have an older copy of Sideview Utils installed, make sure check the “upgrade app” checkbox or Splunk may give you a strange error.
  3. install the Universal Forwarder
    Familiarize yourself with the documentation for Splunk’s Universal Forwarder if you haven’t already. If you use Splunk’s MSI Installer to install the UF, make sure that you do NOT tell the installer where the data is located yet. Simply install the UF for now and don’t configure it to look at the data yet.

  4. Install the TA app on indexers and forwarders
    Find the observeit.spl file that you downloaded. Despite the spl extension this is just a “tar.gz” file so you can rename it to observeit.tar.gz, and/or unzip it with your program of choice. Once you have it unzipped, look inside. At the top level of the “observeit” directory you will see a “TA_observeit” directory. This is actually a whole other “TA” app hiding in here dormant. (If you’re unfamiliar with Splunk’s “TA” convention this basically means it’s a tiny app you need to deploy to forwarding and indexing tiers. )

    Deploy this TA app out to *all* indexers and to the forwarder by your method of choice.
    (Note that The full “observeit” app itself should ONLY go on Search Head Instances. Likewise the TA app should NOT be installed on the Search Head.)

    Once you have the TA app sitting at $SPLUNK_HOME/etc/apps/TA_observeit on the forwarder, and you’ve restarted both the indexers and the forwarder, you can proceed.

  5. Configure the forwarder to forward to your indexers
    If you’re an experienced Splunk admin this will be easy, but if not the Splunk docs are here.

  6. Configure the forwarder to read the ObserveIT logs
    Verify that the ObserveIT logs are located at: C:\Program Files (x86)\ObserveIT\NotificationService\LogFiles\3\* If they appear to be somewhere else, note the location.

    On the command line of the UF host, change directory to the directory where Splunk is installed, and then to the bin subdirectory. Ie “C:\Program Files\SplunkUniversalForwarder\bin.

    Then run the following commands:

    ./splunk add monitor "C:\Program Files (x86)\ObserveIT\NotificationService\LogFiles\3\cm*.log" -index observeit -sourcetype oit_cmlog
    ./splunk add monitor "C:\Program Files (x86)\ObserveIT\NotificationService\LogFiles\Alerts\Al*.log" -index observeit -sourcetype oit_alerts

    Note the sourcetype and index values are case sensitive to be sure to enter them exactly as shown here.

  7. OPTIONAL Those two above are by far the most important, but while you’re here you can also add data inputs for these other 6 optional sourcetypes. Note that they are much lower volume so there’s not much harm adding them now.

    ./splunk add monitor "C:\Program Files (x86)\ObserveIT\NotificationService\LogFiles\Audit\Conf*.log" -index observeit -sourcetype oit_conf_changes
    ./splunk add monitor "C:\Program Files (x86)\ObserveIT\NotificationService\LogFiles\Audit\Conf*.log" -index observeit -sourcetype oit_conf_changes
    ./splunk add monitor "C:\Program Files (x86)\ObserveIT\NotificationService\LogFiles\Audit\Logins*.log" -index observeit -sourcetype oit_logins
    ./splunk add monitor "C:\Program Files (x86)\ObserveIT\NotificationService\LogFiles\Audit\Logins*.log" -index observeit -sourcetype oit_logins
    ./splunk add monitor "C:\Program Files (x86)\ObserveIT\NotificationService\LogFiles\Audit\Sessions*.log" -index observeit -sourcetype oit_sessions
    ./splunk add monitor "C:\Program Files (x86)\ObserveIT\NotificationService\LogFiles\Events\Ev*.log" -index observeit -sourcetype oit_system_events

At this point you should have real time data coming in. From there just log into the Splunk Interface, and navigate to the “ObserveIT Connector” app.

If you have any problems or any questions don’t hesitate to contact Sideview.