Welcome to
Help Desk

Product Updates
Training
Support
Ideas Contact Support

Egnyte Collaborate Add-on for Splunk

Overview

Egnyte Collaborate Add-on for Splunk provides insights based on incidents raised by chosen events in Egnyte's Collaborate product. This enables Splunk administrators to track enterprise-wide audit logs identified by Egnyte's Collaborate product directly through the Splunk App.

The Egnyte Collaborate TA (Technology Add-On) will be downloadable from the Splunkbase portal and installed and configured within the Splunk App. This will fill the Splunk index with logs from Egnyte making them searchable in Splunk for users to create their own alerts and tables. 

 

Egnyte Collaborate Add-on on Splunkbase

The bundle is available on Splunkbase for the Egnyte Collaborate Add-on for Splunk.

Bundle Name

SplunkBase URL

Description

Egnyte Collaborate Add-on for Splunk

https://splunkbase.splunk.com/app/5653/ 

Egnyte Collaborate Add-on to ingest events into Splunk.

 

Setting up the Egnyte Collaborate Add-on in Splunk Environment

Installing the APP in Splunk

The Egnyte Collaborate Add-on lets you collect event data from the Egnyte Collaborate product.

Before setting up the app, ensure that all of the following requirements are met:

  • Proper Splunk credentials (Admin)
  • Egnyte Collaborate Access
  • Splunk Enterprise 7.x and above

Phase

Task

Description

Install the Egnyte Collaborate Add-on in Splunk

Download the free Egnyte Collaborate Add-on from the Splunk App store and install it.

  1. Go to Splunk App Store:
    https://splunkbase.splunk.com/
  2. In the search field, search for Egnyte Collaborate.
  3. In the search results, click on Egnyte Collaborate Add-on for Splunk. Download it.

Configure Egnyte Collaborate Add-on in Splunk

Configure Add-on in Splunk

The user must configure the Egnyte Collaborate Add-on in their Splunk instance for Egnyte Collaborate to send data into your Splunk instance.

See: “Configure Egnyte Collaborate Add-on in Splunk Instance”

Note: The username should have the necessary privileges to configure Add-on.

 

Configuring Egnyte Apps

To configure EGNYTE Collaborate Add-On in Splunk Instance:

  1. Go to Egnyte Collaborate Add-on.
    Egnyte Collaborate Add-On For Splunk 1.png
  2. Click on Configuration > Account > Add.
    Egnyte Collaborate Add-On For Splunk 2.png
  3. Enter the account, domain, and client information. Egnyte Collaborate supports OAuth 2.0.
  4. Click on Generate Code link to begin the authorization process and access the Egnyte Collaborate Endpoint. This would open up a new browser window where Splunk can be authorized to ingest events.
    Egnyte Collaborate Add-On For Splunk 3.png

    Field Name

    Description

    Account name

    The logical name for the Input

    Egnyte Domain

    Egnyte Domain for this account.

    Client ID

    Client ID for this account.

    Generate Code

    Generates code for “Authorization Code.”

    Client Secret

    Client Secret for this Account.

    Authorization Code

    Paste the code that has been copied from the link.

    Index

    Index name in which Add-on would be collecting Egnyte Collaborate Data

    Default Value: main


    Follow the steps mentioned below to retrieve the Client ID and Client Secret:

    1. An Admin must register an application for their domain on this link. Under Register Your New Application, choose Public Available Application as Type, New App as Current User Base, and Other as Platform.
      Egnyte Collaborate Add-On For Splunk 4.png
    2. Egnyte Domain you will use for testing will be a trial domain. Customers can register for a trial domain if they do not already have one.
      Egnyte Collaborate Add-On For Splunk 5.png
    3.  Select the required Web APIs under Select which web APIs you will use.
      Egnyte Collaborate Add-On For Splunk 6.png
    4. Mention Splunk Collaborate, Splunk S&G or Splunk Collaborate and S&G as the options in the Please describe what your application will do field.
    5. Registered OAuth Redirect URI field can be left blank.
    6. Fill the other details and Click on Register.
      Egnyte Collaborate Add-On For Splunk 7.png

    The application will go through the verification process and will be activated upon successful verification.

4. It will ask for the Email ID and Password to connect to an Egnyte Account. Click on Allow Access to authorize the Splunk App. The App must authorized it with an Admin account or a power user with can run reports role. Also, the user account should not a service account.
Egnyte Collaborate Add-On For Splunk 8.png

 

5. Upon clicking on Allow Access, it would display a code that should be supplied back to the Splunk App. Click on Copy.
Egnyte Collaborate Add-On For Splunk 9.png

 

6. Go back to the Splunk Add-on configuration page, fill in the remaining details, and then click on Add.
Egnyte Collaborate Add-On For Splunk 10.png

7. Click on the Inputs tab.
Egnyte Collaborate Add-On For Splunk 11.png

8. All the inputs for the account will be Disabled.
Egnyte Collaborate Add-On For Splunk 12.png

9. Click on Action > Enabled for the inputs that need to be collected.
Egnyte Collaborate Add-On For Splunk 13.png

10. To update the input, click on Action > Edit. The input box will display all the fields. Enter the information, and click on Update.
Egnyte Collaborate Add-On For Splunk 14.png

 

Field Name

Description

Interval (in seconds)

An interval in which an Add-on would be invoked to collect data from Egnyte Collaborate.

Recommended Value: 300

Egnyte Domain

Egnyte Domain for this account.

Index

Index name in which Add-on would be collecting Egnyte Collaborate Data

Default Value: main

Data Type

List of data types the Add-on collects.

Global Account

The account is configured on the “Configuration” page.

Start Date

Provide Start Time in format YYYY-MM-DDTHH:MM: SSZ. Select up to the past 24 hours

 

Install & Configuring add-on in a Distributed Splunk Environment

The following is the matrix of apps to be deployed in Splunk’s distributed environment.

App Name

Search Head Instance

Indexer Instance

Forwarder Instance

Egnyte Collaborate Add-on for Splunk

No

No

Yes

 

For information about distributed deployments for Splunk, visit Splunk’s documentation:
https://docs.splunk.com/Documentation/Splunk/7.2.4/Deploy/Deploymentcharacteristics 

 

APPENDIX A: Various Possible Splunk Distributed Deployments

Indexer Clustering

https://docs.splunk.com/Documentation/Splunk/7.2.4/Indexer/Aboutindexesandindexers

https://docs.splunk.com/Documentation/Splunk/7.2.4/Indexer/Basicclusterarchitecture

Egnyte Collaborate Add-On For Splunk 15.png

Search Head Clustering

 http://docs.splunk.com/Documentation/Splunk/7.2.4/DistSearch/Configuresearchheadpooling

Egnyte Collaborate Add-On For Splunk 16.png

Multisite Clustering

http://docs.splunk.com/Documentation/Splunk/7.2.4/Indexer/Multisitearchitecture 

Egnyte Collaborate Add-On For Splunk 17.png

 

APPENDIX B: Event data collection in Splunk

Index

In Splunk, all application event data is stored in indexes. It is good practice to create indexes when installing the apps before any app configuration is done. Egnyte Collaborate Add-on for Splunk uses the default Splunk indexes below:

 

Index Name

Created in App/Manual

Purpose/Type of Event Data

main

Available as part of Splunk Framework

All of the event data from Egnyte Collaborate would be indexed into Splunk in this index by default.

 

The above index will be used to collect data from the Egnyte Collaborate Add-on for Splunk. This index should not be cleaned; otherwise, the information will be lost.

Source-type

Source-type are default Splunk fields to categorize and parse indexed data in an organized way. Below is a table showing how the Egnyte Collaborate-related event data is distributed in these fields.


Please read more about the default fields at:
https://docs.splunk.com/Documentation/Splunk/7.2.4/Data/Aboutdefaultfields

 

Index Name

Source type

Purpose/Type of event data

main

egnyte: connect:audit:file

All the FILE_AUDIT events reported from Egnyte Collaborate are ingested into this SourceType.

egnyte: connect:audit:login

All the LOGIN_AUDIT events reported from Egnyte Collaborate are ingested into this SourceType.

egnyte: connect:audit:permission

All the PERMISSION_AUDIT events reported from Egnyte Collaborate are ingested into this SourceType.

egnyte: connect:audit:user

All the USER_AUDIT events reported from Egnyte Collaborate are ingested into this SourceType.

egnyte: connect:audit:wg_settings

All the WG_SETTINGS_AUDIT events reported from Egnyte Collaborate are ingested into this SourceType.

egnyte: connect:audit:group

All the GROUP_AUDIT events reported from Egnyte Collaborate are ingested into this SourceType.

egnyte: connect:audit:workflow

All the WORKFLOW_AUDIT events reported from Egnyte Collaborate are ingested into this SourceType.

_interval

ta:egnyteconnect:log

All the logs from Egnyte Collaborate are ingested into this SourceType.

 

 

Was this article helpful?
0 out of 0 found this helpful

For technical assistance, please contact us.