Set up Splunk Enterprise to Collect Privilege Management Events

Splunk Enterprise is a data collection service that indexes events from a variety of sources. Splunk Enterprise can be used to capture and report on events from Privilege Management.

Prerequisites

The following versions of Splunk Enterprise and Privilege Management Reporting are supported:

  • Splunk Enterprise 6.5 or later
  • Privilege Management Reporting 4.5 or later

Forward Privilege Management Events into Splunk Enterprise

Splunk Enterprise allows you to collect BeyondTrust events two different ways. This guide covers:

  • From your endpoints or from your Windows Event Collector node using the Splunk Universal Forwarder. This approach is useful if you are collecting Windows event log events from multiple sources including Privilege Management, or if you are not using the Privilege Management Reporting database.
  • Importing events from the Privilege Management Reporting database using Splunk DB Connect. This approach can be used with Privilege Management Reporting database version 4.5 or later deployed with any of our management platforms. With this approach you do not need to deploy further agents to your endpoints.

For more information, please see the following:

Data Quantity

Typically, a well configured Privilege Management endpoint generates about fifteen to twenty events per endpoint each day. This is highly dependent on configuration and can be significantly higher.

  • For DB Connect, set the Execution Frequency to a period of at least one minute. We recommend every five minutes as a reasonable default. The cron style setup allows updates at quiet times (for example, overnight) if timely delivery to Splunk is less important than conserving network bandwidth or database server resources.
  • For DB Connect, the Fetch Size in the database connections can remain as the default (300).
  • The Max rows to retrieve can be configured to limit load (for example, after an outage). Setting the value as unlimited is recommended (0 or blank). This ensures all the data is collected and the Splunk server does not fall behind, which can occur if this value is set too low.
  • Data held in the Reporting database is deduplicated. This can be beneficial if you have a tiered approach to your event collection as you can use the rising column value to assist with batch processing.

You can also filter the data when you query it so you only import what you need using DB Connect.

For more information, please see Work with Data in Splunk Enterprise.