App Control: How to Configure Splunk Integration
search cancel

App Control: How to Configure Splunk Integration

book

Article ID: 286737

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

This article describes how to integrate the Splunk analytics with App Control.

Environment

  • App Control Server: All Supported Versions
  • Splunk Enterprise: Versions 5.0 - 7.3

Resolution

  1. Login to the Console and navigate to the gear icon > System Configuration > External Analytics > Edit.
  2. In the General section: 
    • Check the box to Enable Export.
    • Specify the Export Directory (should be a local drive on the application server) & click Test.
    • Determine whether File Catalog, File Operations or Events will be included.
    • Determine whether a Limit will be enforced on the Export Directory.
  3. Specify the Splunk web server in the Root URL field.
  4. The defaults for each of the Analytics Server Reports can be filled in using the button, "Set Analytics URLs to Splunk Defaults".
  5. Click Update to save the settings.
Note: To configure the Splunk Server for integration with the App Control server, please review the following article from Splunk.

Additional Information

  • Currently the External Analytics feature only supports Splunk Enterprise through version 7.3.
  • Integrating App Control with a newer version of Splunk will require exporting the Events using the SYSLOG option as outlined here.
  • Further information can be found in the Server Documentation > Supported Integrations¬†section of the¬†App Control documentation.