Release Date: Egnyte Collaborate Add-on for Splunk v1.0.0; July 19, 2021

Overview

Egnyte Collaborate Add-on for Splunk provides insights based on incidents raised by chosen events in Egnyte's Collaborate product. This enables Splunk administrators to track enterprise-wide audit logs identified by Egnyte's Collaborate product directly through the Splunk App.

The Egnyte Collaborate TA (Technology Add-On) will be downloadable from the Splunkbase portal and installed and configured within the Splunk App. This will fill the Splunk index with logs from Egnyte that will make them searchable in Splunk for users to create their own alerts and tables.

 

Egnyte Collaborate Add-on on Splunkbase

The bundle is available on Splunkbase for the Egnyte Collaborate Add-on for Splunk.

Bundle Name

SplunkBase URL

Description

Egnyte Collaborate Add-on for Splunk

https://splunkbase.splunk.com/app/5653/ 

Egnyte Collaborate Add-on to ingest events into Splunk.

 

Setting up the Egnyte Collaborate Add-on in Splunk Environment

Installing the APP in Splunk

The Egnyte Collaborate Add-on lets you collect event data from the Egnyte Collaborate product.

Before you set up the app, ensure that you meet all of the following requirements:

  • Proper Splunk credentials (Admin)
  • Egnyte Collaborate Access
  • Splunk Enterprise 7.x and above

Phase

Task

Description

Install the Egnyte Collaborate Add-on in Splunk

Download the free Egnyte Collaborate Add-on from the Splunk App store and install it.

  1. Go to Splunk App Store:
    https://splunkbase.splunk.com/
  2. In the search field, search for Egnyte Collaborate.
  3. In the search results, click on Egnyte Collaborate Add-on for Splunk. Download it.

Configure Egnyte Collaborate Add-on in Splunk

Configure Add-on in Splunk

You must configure the Egnyte Collaborate Add-on in your Splunk instance for Egnyte Collaborate to send data into your Splunk instance.

See: “Configure Egnyte Collaborate Add-on in Splunk Instance”

Note: Your username should have the necessary privileges to configure Add-on.

 

Configuring Egnyte Apps

Configure EGNYTE Collaborate Add-On in Splunk Instance

1. Go to Egnyte Collaborate Add-on.

mceclip1.png

 

2. Click on Configuration > Account > Add

mceclip1.png

 

3. First, enter your account, domain, and client information. Egnyte Collaborate supports OAuth 2.0. To begin the Authorization process, Click on “Generate Code” to access the Egnyte Collaborate Endpoint. This would open up a new browser window for you to authorize Splunk to ingest events.

mceclip2.png

Field Name

Description

Account name

The logical name for the Input

Egnyte Domain

Egnyte Domain for this account.

Client ID

Client ID for this account.

Generate Code

Generates code for “Authorization Code.”

Client Secret

Client Secret for this Account.

Authorization Code

Paste the code that has been copied from the link.

Index

Index name in which Add-on would be collecting Egnyte Collaborate Data

Default Value: main


To retrieve your Client ID and Client Secret, please reach out to our team at splunk@egnyte.com


4. It would be asking for your Email ID and Password to connect to an Egnyte Account. Click on “Allow” to authorize the Splunk App. You must authorize it with a full Admin account (not a service account).

mceclip3.png

 

5. Upon clicking on Allow, it would display a code that we would then have to supply back to the Splunk App. Click on Copy.

mceclip3.png

 

6. Go back to the Splunk Add-on configuration page, fill in the remaining details, and then click on Add.

mceclip4.png

 

7. Click on the Inputs tab.

mceclip4.png

 

8. All the inputs for the account are “Disabled."

mceclip8.png

 

9. Click on Action > Enabled of the input you want to collect.

mceclip9.png

 

10. To update the input, click on Action > Edit. The input box will display all the fields. Update the information you want to update, and click on Update.

mceclip5.png

Field Name

Description

Interval (in seconds)

An interval in which an Add-on would be invoked to collect data from Egnyte Collaborate.

Recommended Value: 300

Egnyte Domain

Egnyte Domain for this account.

Index

Index name in which Add-on would be collecting Egnyte Collaborate Data

Default Value: main

Data Type

List of data types the Add-on collects.

Global Account

The account is configured on the “Configuration” page.

Start Date

If you don't specify, the Add-on will collect data for the last 7 days. Provide Start Time in format YYYY-MM-DDTHH:MM: SSZ.

 

Install & Configuring add-on in a Distributed Splunk Environment

The following is the matrix of apps to be deployed in Splunk’s distributed environment.

App Name

Search Head Instance

Indexer Instance

Forwarder Instance

Egnyte Collaborate Add-on for Splunk

No

No

Yes

 

For information about distributed deployments for Splunk, please visit Splunk’s documentation:
https://docs.splunk.com/Documentation/Splunk/7.2.4/Deploy/Deploymentcharacteristics 

 

 

APPENDIX A: Various Possible Splunk Distributed Deployments

  • Indexer Clustering

https://docs.splunk.com/Documentation/Splunk/7.2.4/Indexer/Aboutindexesandindexers

https://docs.splunk.com/Documentation/Splunk/7.2.4/Indexer/Basicclusterarchitecture

mceclip5.png

  • Search Head Clustering

 http://docs.splunk.com/Documentation/Splunk/7.2.4/DistSearch/Configuresearchheadpooling

mceclip6.png

  • Multisite Clustering

http://docs.splunk.com/Documentation/Splunk/7.2.4/Indexer/Multisitearchitecture 

mceclip7.png

 

APPENDIX B: Event data collection in Splunk

  • Index

In Splunk, all application event data is stored in indexes. It is good practice to create indexes when installing the apps before any app configuration is done. Egnyte Collaborate Add-on for Splunk uses the default Splunk indexes below:

 

Index Name

Created in App/Manual

Purpose/Type of Event Data

main

Available as part of Splunk Framework

All of the event data from Egnyte Collaborate would be indexed into Splunk in this index by default.

 

The above index will be used to collect data from the Egnyte Collaborate Add-on for Splunk. This index should not be cleaned; otherwise, the information will be lost.

  • Source-type

Source-type are default Splunk fields to categorize and parse indexed data in an organized way. Below is a table showing how the Egnyte Collaborate-related event data is distributed in these fields.


Please read more about the default fields at:
https://docs.splunk.com/Documentation/Splunk/7.2.4/Data/Aboutdefaultfields

 

Index Name

Source type

Purpose/Type of event data

main

egnyte: connect:audit:file

All the FILE_AUDIT events reported from Egnyte Collaborate are ingested into this SourceType.

egnyte: connect:audit:login

All the LOGIN_AUDIT events reported from Egnyte Collaborate are ingested into this SourceType.

egnyte: connect:audit:permission

All the PERMISSION_AUDIT events reported from Egnyte Collaborate are ingested into this SourceType.

egnyte: connect:audit:user

All the USER_AUDIT events reported from Egnyte Collaborate are ingested into this SourceType.

egnyte: connect:audit:wg_settings

All the WG_SETTINGS_AUDIT events reported from Egnyte Collaborate are ingested into this SourceType.

egnyte: connect:audit:group

All the GROUP_AUDIT events reported from Egnyte Collaborate are ingested into this SourceType.

egnyte: connect:audit:workflow

All the WORKFLOW_AUDIT events reported from Egnyte Collaborate are ingested into this SourceType.

_interval

ta:egnyteconnect:log

All the logs from Egnyte Collaborate are ingested into this SourceType.