1) If you haven’t already, download Splunk by clicking here.
2) Follow Splunk’s docs to install Splunk on your own hardware.
3) Ensure that Java is installed on the Splunk host and that the version of the JRE is at least 1.7. Ensure that either JAVA_HOME environment variable is set (to a directory containing a bin subdirectory that in turn contains the java executables), OR that the java executables are present in your PATH environment variable. Note you only need one or the other to be true.
4) Get a 90 day trial version of Sideview Reporter for CA ControlMinder by clicking the “Download Trial Version” link on the right or by clicking here. Enter your email address to get a download link emailed to you.
5) Follow similar steps to also get a current copy of the required “Sideview Utils” app from this page. Note if you already have Sideview Utils it may well be an out-of-date version.
6) Install both apps into the Splunk server. For this you log into Splunk as an admin user and go to “Apps > Manage Apps > Install App from File”
7) After you have installed both apps, restart the Splunk Server by going to “Settings > Server Controls > Restart Splunk”.
8) IMPORTANT – Follow these instructions on the CA website to import the UARM certificate to the jVM’s trusted keystore on the Splunk server.
9) Verify that the app’s modular input is working with java correctly by logging into the Splunk host, going to the “bin” subdirectory inside Splunk, and running
splunk cmd python ../etc/apps/control_minder/bin/jms.py --scheme
If all is well it should return a big block of XML whose outer tag is <scheme>. If something is wrong there will be a message or a stack trace and you should email it to email@example.com.
10) Now log back into the Splunk interface as an admin user and navigate to the App’s homepage to “Apps > Sideview Reporter for CA ControlMinder”. The homepage will tell you that you have no data indexed and give you a link to the Setup form. On that Setup form, enter the hostname or IP, username and password, as well as the Splunk index into which you want to put the data, and submit the form. After a few moments live data will be coming into Splunk.
11) If your events do not begin coming into Splunk within a few minutes, here are some things to check:
— if your ControlMinder server does not have both “queue/audit” and “queue/pupm” as active JMS Messaging queues, you might want to disable the data input for the one you don’t have. Sometimes but not always, when one queue cannot be found, the app will fail to index any events from EITHER queue. You can check whether this might be the case by running this:
index=_internal source=*splunkd.log execprocessor message from jms.py Stanza Error connecting javax.naming.NameNotFoundException Name not found
If that returns any events, you might want to disable that data input by following these steps:
Log into Splunk as an Admin user, and from the app click “Settings” in the top right. Then click “Data Inputs”, then scroll down on the following page and click “JMS Inputs”. You’ll see a table with your two queue data inputs. On the right side under “actions” you’ll see the have Enable/Disable links. Disable whichever queue you don’t think that you have. NOTE: If you leave a stanza active for a queue that you don’t have, then NO data will be indexed from ANY queue.
— Check jms.log and splunkd.log for any helpful errors or messages. To do this you can search in Splunk as an admin user for these terms:
index=_internal (source=*jms.log OR (source=*splunkd.log execprocessor message from jms.py))
If you’re not sure what you’re seeing there, send it in to us here and we’ll help.
— If this yields no clues at all, or if the logs seem to indicate that the jms modular input is failing to be initialized or failing validation, open a cmd window, navigate to $SPLUNK_HOME/bin and run this.
> splunk cmd splunkd print-modinput-config --debug jms
You might have to hunt through scrollback to find the parts talking about “JMS” but once you do there might be an error or even a stack trace you can send to us.
12) Once data is coming in, The best way to familiarize yourself with the app is to use the “Getting Started” tab on the app’s homepage. This will walk you through the various fields present in the data. By clicking the sample reports for the fields that look the most interesting you will get the hang of how the reporting tools work.