Splunk Enterprise

This integration requires Splunk Enterprise version 8.0.2 .

Configure CORE to forward messages to Splunk Enterprise with this procedure:

1. Open the port on the Splunk server.
   1. Click Settings > Data > Forwarding and Receiving > Configure receiving > Add new (port).
   2. Enter port 9997.
2. Download Splunk Universal Forwarder from:

https://www.splunk.com/en_us/download/universal-forwarder.html

3. Install the downloaded file on the CORE server.
4. Configure the Splunk Universal Forwarder on the CORE server:
1. Access the executable directory.

cd /opt/splunkforwarder/bin/

2. Start Splunk.

sudo ./splunk start --accept-licence

3. Configure Splunk to start on boot.

sudo ./splunk enable boot-start

4. Enable the Splunk service.

systemctl enable splunk

5. Add the Splunk server.

sudo ./splunk add forward-server <IP Splunk Server>:9997

6. Add a monitor, which enables Splunk. You can add additional lines for more log files. This example adds monitors for CORE (ekm.log) and Tomcat (catalina.log). See the CORE Maintenance Guide for more information about CORE logs.

sudo ./splunk add monitor /opt/ekm/logs/ekm.log
sudo ./splunk add monitor /opt/ekm/logs/catalina.log

7. Restart Splunk.

sudo ./splunk restart

8. Check that configuration worked.

sudo ./splunk list forward-server

Example response:

Active forwards:
    13.53.44.231:9997
Configured but inactive forwards:
    None

Splunk now monitors the CORE logs. In Splunk, you can create a dashboard to view the CORE logs or search the logs.

For example, the following image shows the available logs in a sample environment. Note that CORE is referred to as "EKMEnterprise Key Management - previous name of the product.".

Selecting the EKMEnterprise Key Management - previous name of the product. Log shows:

The following search locates any log entry where the host is demo-ep, from the CORE log file, and matching the text code-sign.