![]() We have also integrated with Splunk and it is definitely a great tool for monitoring and alerting perspective. You will now be able to do all the Splunk goodness your heart desires against the IdentityIQ audit data When you click the Find Events link it will run your input query and send you to the Splunk Search screen. To the far right under the Actions header you'll find 4 clickable actions. From there you will see your list of Inputs, with the name of your recently created input highlighted in blue. Once you save your new input, you'll be taken back to the Data Lab home screen. Ok, so now our setup is finished and we have a shiny new source just waiting to be Splunked. Last step here, give the input a name, time to run, and metadata information so we can save our new input. Once you select the table, the app will generate and send a query giving you an example of the data. In the screenshot below we are going to select the spt_audit table. The good thing is that as you select values, the app will automatically query the database for the others, allowing you to browse for the data you want. We do this by using the Connection, Catalog, Schema, and Table options on the left hand side of the screen. Now we select the tables that we want Splunk to search. Next, navigate to the Connections tab and add your IIQ database. Now that you have SpunkDB Connect setup, you want to navigate to the Configuration -> Databases -> Identities Tab and add the admin credentials to connect to your IIQ database. (Note: Since I've already installed it the button states Open App, if it is not installed it will state Install).Īfter that you want to add the database drivers for DB Connect into the $SPLUNK_HOME/etc/apps/splunk_app_db_connect/drivers. The documentation around connecting and configuring SplunkDB Connect is fairly in depth, so instead of reinventing the wheel I'll just point you to the goods: About Splunk DB Connect - Splunk Documentationįrom a high level you can go to the Splunk App Store to add the DB Connect add-on: You can do that here: Splunk DB Connect | Splunkbase ( Disclaimer: That app is built by Splunk, runs on Splunk's platform, and is used by Splunk.Are you seeing a pattern here? So if you have problems with that app.contact Splunk). Ok so first thing you need to do is download the SPlunk DB Connect App. When specifying the directory, the quickest option is just to point to the application server logs directory (with log4j configured, you can alternatively point to the specific log4j files to eliminate all the white noise from the other application server logs):Īs you can see pointing to log files is pretty easy to do in Splunk, so I'll leave you to Google and the interwebs for any further questions on this. First after logging into your Splunk Dashboard, select Data InputsĪfter that you want to select the Files and Directories option. ![]() I won't go over this option in great detail, as it's fairly straightforward and should only take you a couple of minutes to get up and running. ![]() If you are looking for Audit specific data then you'll need to point Splunk to the Audit tables within IdentityIQ, thus using the Splunk DB Connect App. Than easiest thing is to just point Splunk to your log files. How have you configured your IdentityIQ installation? What type of data are you looking for? If you've heavily invested into log4j by making specific log4j files for different events, and you are looking for "Application administration" type data (i.e Task failures, code exceptions, etc). Using SplunkDB Connect point Splunk to specific IdentityIQ DB Tables. Point Splunk to the IdentityIQ Log FilesĢ. You have some options when it comes to integrating IdentityIQ with Splunk and it mainly centers around what information from IdentityIQ you want to see in Spunk. Splunk is a third party tool that captures, indexes, and correlates real-time data in a searchable repository from which it can generate graphs, reports, alerts, dashboards, and visualizations.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |