Topics: |
Syntax:
com.ibi.exits.XDSplunkWriter
Description:
The driver filters selected Activity Log events and sends the events to the Splunk server for indexing. You can use the driver in place, or in combination with, other activity drivers.
Parameters:
Main Group Parameters |
Description |
HTTP Client Provider |
Provider that manages the connection pool used by the driver. When the Communication Schema is https, the HTTP Client Provider must refer to an SSL Context provider with a valid truststore. See Extracting the Root CA of the Splunk Server on how to extract the root CA of the Splunk server. |
Endpoint Type |
Determines how the events are sent to Splunk. The Activity Driver can call the REST API or it can call the HTTP Event Collector. When using the REST API, the port is usually 8089. This endpoint requires a User Name and User Password to authenticate. The Token is not used. When using the HTTP Event Collector, the port is usually 8088. This endpoint requires a Token to authenticate. The User Name and User Password are not used. The HTTP Event collector must be enabled before it can be used. In the Splunk Console, select Settings/Data Inputs, then select HTTP Event Collector, then select Global Settings, and then select All Tokens Enabled. You can create a dedicated token for this Activity Driver or share an existing token depending on your security requirements. To create a token, click New Token on the HTTP Event Collector page already mentioned above. The resulting Token looks like a GUID string. The event data will be indexed by the index specified by the Splunk Index property. The chosen index must be one of the allowed indexes if the token has the indexes parameter set. Note: The location of the Splunk server endpoint is given by three properties: Connection Scheme (https or http), Splunk host name, and port number. |
Splunk Source |
Source value to assign to the event data. This is a description of where the event data came from. It overrides the default source set in the token. |
Source Type |
Value to assign to the event data. This tells Splunk how to parse the event data. Since the event is formatted in JSON, the default Source Type is _json. This property overrides the default Source Type set in the token. |
Events Group
These Boolean properties select which events are sent to the Splunk server. Enable an event type to send that particular event to the Splunk server. Disabled event types are ignored.
The Compression property can be used to reduce the size of the msg field in the event.
Event Format
The event data is a JSON Object with the following fields.
Field Name |
Description |
recordkey |
Unique record identifier key. |
recordtype |
Type of this record - the event being recorded. |
signature |
Encoding of the listener name and protocol. |
protocol |
Name of the protocol. |
address |
Address to which an emit is to be issued. The format depends on the protocol. |
tstamp |
Time of record. |
correllid |
Correlation ID, if present. |
tid |
Transaction ID assigned to this message. |
msg |
Message appropriate to this record type. For example, an input message contains the original message received, if possible. Streaming input does not contain a record. |
text |
Add Message text for business errors (rules system violations). |
status |
Status code recorded. Success if 0; other status codes are based on the type of record being recorded. |
subtype |
Event code for event records, for example, parsing, agent calls, and returns. |
partner_to |
If the TPA has recognized a to party, the value is put here. |
partner_from |
If the TPA has recognized a from party, the value is put here. |
encoding |
Encoding of the listener that obtained the document. |
version |
Driver version (1.0 in 5.5.SM). |
context |
Serialized special registers that were in the context at the time the record was written. |
Note:
Record Type Codes |
Description |
101 |
Message start. |
131 |
Entry to event (see subtype codes). |
132 |
Normal exit from event. |
133 |
Failed exit from event. |
151 |
Ancillary message (usually rules violation). |
181 |
Emit. |
191 |
Message end. |
Record Subtype Codes |
Description |
1 |
Preparser |
2 |
Parser |
3 |
In reviewer |
5 |
In validation |
6 |
In transform |
7 |
Agent or flow |
8 |
Out transform |
9 |
Out validation |
11 |
Preemitter |
Topics: |
This following is a sample event sent by the Splunk Activity Driver.
{ "recordkey":"rk_2019-02-12T15_58_11_389Z_001", "recordtype":101,"signature":"file1-FILE-W.file1.1\u0000\u0000…\u0000\u0000", "protocol":"a.xml", "address":null, "tstamp":"20190212155811388Z", "correlid":null, "tid":"569bd99d-834f-40b3-b7e2-80706486cdc1", "msg":"PGQ+PGQxLz48ZDIvPjwvZD4NCg==", "text":null, "status":0, "subtype":0, "partner_to":null, "partner_from":null, "encoding":"Cp1252", "version":"1.0", "context": { "DOC/parent":"in1", "DOC/extension":"xml", "DOC/source":"z:\\iway8\\config\\base\\in1\\a.xml", "DOC/tid":"569bd99d-834f-40b3-b7e2-80706486cdc1", "CFG/ibse-port":"9000", "DOC/filename":"a.xml", "DOC/basename":"a" } }
When using SSL, the truststore in the SSL Context Provider must contain the certificate of the Certificate Authority that signed the Splunk Server certificate. A convenient way to obtain the CA certificate is to run openssl. There is a copy of the openssl command in the bin directory of the Splunk Enterprise installation. Run the following command, replacing <host> and <port> with the host name and port of the Splunk server.
openssl s_client -host <host> -port <port> -prexit –showcerts > certs.txt
Edit the certs.txt file and extract the root CA, between and including the following lines, into a file called splunkca.pem, and then run keytool to produce a keystore.
-----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----
The keytool command is shown below:
keytool -importcert -file splunkca.pem -alias splunkca -keystore truststore.jks