BlueCat Edge for Splunk app - BlueCat Edge - Service Point v3.x.x

BlueCat Edge Deployment Guide
Locale
English
Product name
BlueCat Edge
Version
Service Point v3.x.x

The BlueCat Edge Technical Add-on for Splunk is a modular input that integrates data from the BlueCat Edge API with Splunk. This app allows DNS administrators and security professionals to collect, monitor, and alert on policy events from their BlueCat Edge service points.

The BlueCat Edge Technical Add-on for Splunk is intended to be deployed on Splunk Search Heads. Data collection is intended to be configured on a Splunk Heavy Forwarder but can be run on any Splunk Enterprise instance (Search Head, Indexer, All-in-one.) The BlueCat Edge for Splunk app is only required on Splunk Search Heads and must be installed alongside the BlueCat Edge Technical Add-on for Splunk. The BlueCat Edge for Splunk app relies on data collected by the BlueCat Edge Technical Add-on for Splunk.

Attention: The BlueCat Edge Technical Add-on for Splunk is only compatible with Linux-based forwarders and is not compatible with Windows system heavy forwarders.
Note: This feature is only accessible with a valid SIEM token provided by BlueCat. You received this token in the Welcome to BlueCat Edge email sent when the Administrator account was created. For more information, contact your BlueCat representative.
Install the BlueCat Edge Technical Add-on for Splunk
  1. In Splunkbase, download the BlueCat Edge Technical Add-on for Splunk.
  2. Log into your Splunk instance using an account with Administrator access.
  3. From Splunk, click the gear icon next to Apps.
  4. Click Install app from file, and then Choose file and navigate to the app package you downloaded.
  5. Click Upload.

Configure inputs

After you install the technical add-on, you need to configure both the DNS query log stream and policy details collection.

Step 1: Configure DNS query log stream collection
  1. In Splunk, choose Settings > Data Inputs, and then select BlueCat Edge Modular Input.
  2. Click New.
  3. Enter a name for the input, for example DNS Query Log Stream.
  4. Enter the hostname of the BlueCat Edge server, for example, customer.bluec.at
    Note: DO NOT enter "https" or the trailing "/".
  5. For Endpoint, select DNS Query Log Stream.
  6. Enter the SIEM credentials provided with your BlueCat Edge account. You received this token in the Welcome to BlueCat Edge email sent when the Administrator account was created. For more information, contact your BlueCat representative.

    The SIEM credentials are a small string in the following format: ABC12DE0FGH0IJK30LMnOPqrSTu5VWX30YZaBcD3EfG3HiJ4KLM

  7. Enter an interval in seconds, less than 300 seconds (the DNS query log stream data rotates every 5 minutes).
  8. Leave the source type bluecat:dns:edge for the default parsing to apply.
  9. Select More settings and configure the following:
    • Host field value: Generally, this should be the host that data was collected by (the host this input is configured on). This is the default value.
    • Index: The default is main but you may want to send this to an index containing related data (for example, "bluecat" or "dns"). See the Splunk documentation for more information about indexes.
  10. Click Next to save these settings.

    A screen with a check mark will appear, which indicates that the modular input has been created.

  11. Click Start Searching to begin searching logs in Splunk.

    If a red bar appears with a warning message, there is an error. Review the configuration and try again, or see the Troubleshooting section below.

    When you are done, continue with the next procedure.

Step 2: Configure policy details collection
  1. On the BlueCat Edge Data Inputs screen, click New.
  2. Enter a name for the input, for example Policy Details.
  3. Enter the hostname of the BlueCat Edge server, for example, customer.bluec.at.
    Note: DO NOT enter "https" or the trailing "/".
  4. For Endpoint, select Policy Details.
  5. Enter your client ID and secret access key for the BlueCat Edge API.
  6. Enter your secret access key again in the Confirm password field.
  7. Enter an interval in seconds. The interval dictates how often policy details are pulled into Splunk and should reflect how often BlueCat Edge policies are likely to change (for example, 3600).
  8. Leave the source type bluecat:dns:edge for the default parsing to apply.
  9. Select More settings and configure the following:
    • Host field value: Generally, this should be the host that data was collected by (the host this input is configured on). This is the default value.
    • Index: The default is main but you may want to send this to an index containing related data (for example, "bluecat" or "dns"). See the Splunk documentation for more information about indexes.
  10. Click Next to save these settings.

    A screen with a check mark will appear, which indicates that the modular input has been created.

  11. Click Start Searching to begin searching for policy details.

    If a red bar appears with a warning message, there is an error. Review the configuration and try again, or see the Troubleshooting section below.

Note:
  • Searches for BlueCat Edge data rely on a macro called "get_bluecat_dns_edge_index". By default, this macro searches "index=main". If you change the index for your BlueCat data, update this macro with the index name by going to Settings > Advanced Search > Search macros > get_bluecat_dns_edge_index and updating the search to match the index your data is in (for example, "index=bluecat")
  • These inputs can be modified at any time by visiting Settings > Data Inputs > BlueCat Edge Modular Input.
  • To get started with visualizing this data, install the BlueCat Edge App for Splunk.

Troubleshooting

If you receive errors, try the following:
  • Search Splunk internal logs: index=_internal sourcetype=splunkd log_level!=INFO *bluecat_dns_edge.py*
  • Verify that the data collection host has access to BlueCat Edge server on port 443.

Install the BlueCat Edge for Splunk app

Install the technical add-on per the instructions above, configure inputs, and verify that data is flowing into Splunk successfully before using this app
  1. In Splunkbase, download the BlueCat Edge for Splunk app.
  2. Log into your Splunk instance using an account with Administrator access.
  3. In Splunk, click the Apps drop-down in the upper-left corner of the window, and select Manage Apps.
  4. Click Install app from file, and then Choose file and navigate to the app package you downloaded.
  5. Click Upload.

Using the app

Return to the Splunk Home page and select BlueCat Edge for Splunk. On the Policy Events page you can review policy event details. You can view events for all policies, or you can select one policy and click Submit to view only events for that policy. You can also filter by source IP, and change the time range for which to view policy events.

The Policies drop-down won't work until there is policy detail data and a lookup has been generated. To generate a Policy Details lookup table quickly, visit the Policy Details page. On this page, you can review details about individual policies. Use the Time drop-down to specify the time range for which you want to see policy events for each policy.

On the Policy Alerts page, you can select policy events that you want to be alerted about. To modify the settings for this alert, navigate to Settings > Searches, Reports, and Alerts > BlueCat Edge - Policy Alerts. There, you can configure alert actions (email, ticket, scripts) and modify the alert schedule.