Insider Threat Connector


Installation and setup

To set up this app correctly, we’ll install Splunk’s “Universal Forwarder” on the host where ObserveIT Enterprise or ObserveIT Xpress is running. Also, we’ll configure that “Universal Forwarder” to forward the data in real-time from that host to Splunk.

We will make some assumptions as follows:

  1. You have already installed Splunk Enterprise (Note that the ObserveIT Connector app does not work with Splunk Light).
  2. You want to set up the solution to have the data coming in in real-time. (If instead you prefer to batch-load some data, this is quite easy but contact Sideview for assistance.
  3. You are using distributed search in Splunk, ie that you have one or more Splunk Indexer instances. ( If instead you are setting up the solution to run on only a single standalone Splunk Server, you can skip everything that is talking about the “TA” app and simply configure the UF to point directly to your single instance).
  4. You have only one “Search Head” instance. ( If instead you are using Search Head Clustering, that is fine but be aware that everything we say to deploy to the Search Head will have to be deployed to the Search Head Cluster instead).

Here are the installation and setup steps:

  1. Get the apps
    Navigate to and use the “Download Trial” link to download the ObserveIT Connector app. Also navigate to and click the “Download Full Version” link there to download the “Sideview Utils” app. Note that both apps will come as *.tar.gz files.  Just save them to your desktop for now.
  2. Install the main apps
    Log into the Splunk user interface on your Search Head as an admin user. In the Apps menu at the top left, select “Manage Apps”, then on the next page click “Install App From File”.  Using the form on the next page upload the two *.tar.gz files one by one (the order does not matter). After the second app is uploaded, follow the prompt to restart the Splunk server. If you have an older copy of Sideview Utils installed, make sure check the “upgrade app” checkbox or Splunk may give you a strange error.
  3. install the Universal Forwarder
    Familiarize yourself with the documentation for Splunk’s Universal Forwarder if you haven’t already. If you use Splunk’s MSI Installer to install the UF, make sure that you do NOT tell the installer where the data is located yet. Simply install the UF for now and don’t configure it to look at the data yet.
  4. Install the TA app on indexers and forwarders
    Find that copy of the observeit.tar.gz file that you downloaded. Even though you already installed this, the TA app is hiding inside the tar. Unzip the file with your program of choice and look inside. At the top level of the “observeit” directory you will see a “TA_observeit” directory. If you’re unfamiliar with Splunk’s “TA” convention this basically means it’s a tiny app you need to deploy to forwarding and indexing tiers.

    Deploy this TA app out to *all* indexers and to the forwarder by your method of choice.
    (Note that The full “observeit” app itself should ONLY go on Search Head Instances. Conversely the TA app should NOT be installed on the Search Head.)

    Once you have the TA app sitting at $SPLUNK_HOME/etc/apps/TA_observeit on the forwarder, and you’ve restarted both the indexers and the forwarder, you can proceed.

  5. Configure the forwarder to forward to your indexers
    If you’re an experienced Splunk admin this will be easy, but if not the Splunk docs are here.
  6. Configure the forwarder to read the ObserveIT logs
    Verify that the ObserveIT logs are located at: C:\Program Files (x86)\ObserveIT\NotificationService\LogFiles\3\* If they appear to be somewhere else, note the location.

    On the command line of the UF host, change directory to the directory where Splunk is installed, and then to the bin subdirectory. Ie “C:\Program Files\SplunkUniversalForwarder\bin.

    Then run the following commands:
    splunk add monitor "C:\Program Files (x86)\ObserveIT\NotificationService\LogFiles\3\cm*.log" -index observeit -sourcetype oit_cmlog
    splunk add monitor "C:\Program Files (x86)\ObserveIT\NotificationService\LogFiles\Alerts\Al*.log" -index observeit -sourcetype oit_alerts

    Note the sourcetype and index values are case sensitive to be sure to enter them exactly as shown here.

  7. OPTIONAL Those two above are by far the most important, but while you’re here you can also add data inputs for these other 6 optional sourcetypes. Note that they are much lower volume so there’s not much harm adding them now.splunk add monitor "C:\Program Files (x86)\ObserveIT\NotificationService\LogFiles\Audit\Conf*.log" -index observeit -sourcetype oit_conf_changes
    splunk add monitor "C:\Program Files (x86)\ObserveIT\NotificationService\LogFiles\Audit\Conf*.log" -index observeit -sourcetype oit_conf_changes
    splunk add monitor "C:\Program Files (x86)\ObserveIT\NotificationService\LogFiles\Audit\Logins*.log" -index observeit -sourcetype oit_logins
    splunk add monitor "C:\Program Files (x86)\ObserveIT\NotificationService\LogFiles\Audit\Logins*.log" -index observeit -sourcetype oit_logins
    splunk add monitor "C:\Program Files (x86)\ObserveIT\NotificationService\LogFiles\Audit\Sessions*.log" -index observeit -sourcetype oit_sessions
    splunk add monitor "C:\Program Files (x86)\ObserveIT\NotificationService\LogFiles\Events\Ev*.log" -index observeit -sourcetype oit_system_events

At this point you should have real time data coming in. From there just log into the Splunk Interface, and navigate to the “ObserveIT Connector” app.

If you have any problems or any questions don’t hesitate to contact Sideview.