Customizing after installation

Set up a data input to populate the BMC AMI Defender App for Splunk dashboards with data. You can see an example input in one of the following locations, depending on the data handler that you installed:

  • $HOME_SPLUNK/etc/apps/BMC_AMI_Defender_SPLN/README/inputs.conf.example 
  • $HOME_SPLUNK/etc/apps/BMC_AMI_Defender_CEF/README/inputs.conf.example

BMC recommends that you copy this example file to one of the following locations and change its name to inputs.conf:

  • $HOME_SPLUNK/etc/apps/BMC_AMI_Defender_SPLN/default/
  • $HOME_SPLUNK/etc/apps/BMC_AMI_Defender_CEF/default/

You can also create a data input manually or through the Splunk interface.

To create and configure a new data input through the Splunk interface

The following procedure creates a UDP connection as an example:

  1. In the Splunk interface, from the Settings menu, click Data Inputs (under the DATA section).
  2. Click the local input type UDP, then click New Local UPD.
  3. In the Select Source screen, enter the port number.
    BMC recommends a TCP or UDP connection using port 514.

  4. Set up the Input Settings screen as follows:

    • For the SPLN data handler
      • From the Select Source Type list, select Application > clspln.
      • Set App Context to BMC AMI Defender SPLN Data Handler, which saves the input configuration to $SPLUNK.DIR$\etc\apps\BMC_AMI_Defender_SPLN\local\inputs.conf.
    • For the CEF data handler
      • From the Select Source Type list, select Application > clcef.
      • Set App Context to BMC AMI Defender CEF Data Handler, which saves the input configuration to $SPLUNK.DIR$\etc\apps\BMC_AMI_Defender_CEF\local\inputs.conf.

    Keep the Index on the default setting or any other index that you require. The items in the BMC AMI Defender App for Splunk product do not include references to specific index names.

  5. Review the options and click Submit.

After the setup is complete, you can set additional options manually, if required.

To enable original input data format retention (no_priority_stripping)

After you create the data input, add the no_priority_stripping=true option to enable retention of the original format of the incoming messages.

  1. Open the inputs.conf file in a text editor.
  2. On a new line, add no_priority_stripping=true.
    The updated file looks like the following image:

    • For the SPLN data handler

      [udp://514]
      connection_host = ip
      sourcetype = clspln
      no_priority_stripping = true
      disabled = 0

    • For the CEF data handler

      [udp://514]
      connection_host = ip
      sourcetype = clcef
      no_priority_stripping = true
      disabled = 0
  3. After adding the no_priority_stripping option, save the file.

Enabling changes in Splunk

To enable your changes in Splunk, restart Splunk by selecting Settings > Server Controls > Restart Splunk

If you cannot restart Splunk for whatever reason, go to http://yourSplunkServerName:8000/en-US/debug/refresh and select Refresh to enable the changes in Splunk.

After your restart Splunk, the new data input processes the messages that it receives, and the messages are also available to other applications in Splunk. The data handler assigns more specific source types to incoming messages and sets up events.

The dashboards in the data handler app and all other apps will begin to populate with data. Any messages and objects that the data handler processes will also be available to the other applications in Splunk.


Related topic

Installing


 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*