Splunk Integration

Endpoint Privilege Management can send Accept and Reject event data to Splunk via syslog, using the syslogsession_start_format and syslog_reject_format settings.

Endpoint Privilege Management for Unix and Linux 10.0.1 adds a new keyword syslogsession_finished_format_logserver, which adds exit status data, and operates from the log server (as opposed to the syslogsession_finished_format keyword that operates from each runhost). Both syslog and syslogsessions must be set to yes to enable those keywords. The syslog keyword needs to be configured to send data to Splunk.

Various syslog implementations have data rate limiting and must be configured accordingly.

Endpoint Privilege Management can also send ACA data to Splunk, via the iologcloseaction() procedure defined in the policy language. This makes use of the Perl script closeactionsplunk.pl, normally located in /opt/pbul/scripts/.

The use of this Perl script may require additional Perl modules to be installed. This script requires an Endpoint Privilege Management for Unix and Linux REST App ID and App Key to be configured near the top of the script.

Example Splunk App

Endpoint Privilege Management for Unix and Linux has an example Splunk app available from the Splunk website.

Once the Splunk App is installed in Splunk, if Splunk is to be configured to accept syslog data, do the following within the Splunk GUI:

1. Click Settings > Data Inputs > UDP + Add New.
2. Enter port 514, then click Next.
3. Click App Context.
4. Select BeyondTrust App for Splunk (App-BeyondTrust).
5. Click Select Source Type.
6. Enter the first few characters of beyondtrust:syslog. The search box should find beyondtrust:syslog.
7. Select that, click Review, and then Submit.
8. Click Settings > Advanced Search > Search Macros.
9. Select the app: BeyondTrust App for Splunk.
10. Verify that the macro named get_beyondtrust_index_sourcetype has the Definition: (index="main" sourcetype="beyondtrust:syslog").

To send Reject and Finish event data to Splunk (in a format that the Splunk app recognizes), set the following syslog formatting keywords in /etc/pb.settings on the policy servers and log servers:

syslog_reject_format "BeyondTrust_PBUL_REJECT_Event: Time_Zone='%timezone%'; Request_Date='%date%'; Request_Time='%time%'; Request_End_Date='%date%'; Request_End_Time='%time%'; Submit_User='%user%'; Submit_Host='%submithost%'; Submit_Host_IP='%submithostip%'; Run_User='None'; Run_Host='None'; Run_Host_IP='No IP Address'; Current_Working_Directory='%cwd%'; Requested_Command='%command%'; Requested_Arguments='%argv%'; Command_Executed='None'; Command_Arguments='%runargv%'; ACA_Event='False'; ACA_Date='NA'; ACA_Time='NA'; ACA_Authorization='NA'; ACA_CWD='NA'; ACA_Action='NA'; ACA_Target='NA'; ACA_Arguments='NA'; Log_Servers='%logservers%'; Session_Recording_File='Session Not Recorded'; Risk_Rating='%pbrisklevel%'; Authorizing_Server='%masterhost%'; Event_Status='Reject'; Exit_Status='%exitstatus%'; Risk_Rating='%pbrisklevel%'; Authorizing_Server='%masterhost%'; Event_Status='Reject'; Exit_Status='%exitstatus%'"

syslogsession_finished_format_logserver "BeyondTrust_PBUL_ACCEPT_Event: Time_Zone='%timezone%'; Request_Date='%date%'; Request_Time='%time%'; Request_End_Date='%exitdate%'; Request_End_Time='%exittime%'; Submit_User='%user%'; Submit_Host='%submithost%'; Submit_Host_IP='%submithostip%'; Run_User='%runuser%'; Run_Host='%runhost%'; Run_Host_IP='%runhostip%'; Current_Working_Directory='%cwd%'; Requested_Command='%command%'; Requested_Arguments='%argv%'; Command_Executed='%runcommand%'; Command_Arguments='%runargv%'; ACA_Event='False'; ACA_Date='NA'; ACA_Time='NA'; ACA_Authorization='NA'; ACA_CWD='NA'; ACA_Action='NA'; ACA_Target='NA'; ACA_Arguments='NA'; Log_Servers='%pblogdnodename%'; Session_Recording_File='%iolog_list%'; Risk_Rating='%pbrisklevel%'; Authorizing_Server='%masterhost%'; Event_Status='Accept'; Exit_Status='%exitstatus%'"

The log servers require the -r option to syslog rejects.

For example, on RHEL 6.x, edit /etc/xinetd.d/pblogd, changing server_args to include the -r, then restart xinetd.

server_args =  -r -i xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Similarly, for RHEL 7.x, edit /etc/systemd/system/pblogd@.service so that ExecStart includes the -r, and restart the pblogd service.

ExecStart=-/usr/sbin/pblogd  -r -i xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

To send ACA data to Splunk (in a format that the Splunk app recognizes), the policy must specify an I/O log and enable session history as well as specify an iologcloseaction to run the Perl script. The example Endpoint Privilege Management for Unix and Linux policy /opt/pbul/policies/pbul_functions.conf includes example Procedure SplunkRole() to accomplish all the necessary tasks (to enable this procedure, set EnableSplunkRole = true in /opt/pbul/policies/pbul_policy.conf).

Perl modules such as perl-JSON and perl-Sys-Syslog may need to be installed.

Create an App ID and App Key for the Splunk script on the log server:

pbadmin --rest -g SPLUNK-DATA -m SplunkDataAppID

Then edit the /opt/pbul/scripts/closeactionsplunk.pl script on the log server(s) and change the configurable items appropriately:

17
18 my $pbr_appid    = "REPLACE-ME";
19 my $pbr_appkey   = "REPLACE-ME";
20

In addition to editing the App ID and App Key, several other edits may be necessary:

The closeactionsplunk.pl script currently uses the auth syslog facility. Depending on the log server OS, this may need to be changed to authpriv in closeactionsplunk.pl, or auth may need to be configured in addition to authpriv in /etc/syslog.conf (rsyslog.conf, etc.).

The closeactionsplunk.pl script uses /usr/sbin/pbrestcall internally. This works for installations without a prefix or suffix. If a prefix/suffix installation is used, edit the script to use the appropriate prefix/suffix for pbrestcall. The closeactionsplunk.pl script uses the default rest port (24351), which may need to be changed depending on the actual port used. That port number currently appears in the line:

my $pbr_url = https://localhost:24351/REST