Overview
Egnyte Collaborate Add-on for Splunk provides insights based on incidents raised by chosen events in Egnyte's Collaborate product. This enables Splunk administrators to track enterprise-wide audit logs identified by Egnyte's Collaborate product directly through the Splunk App.
The Egnyte Collaborate TA (Technology Add-On) will be downloadable from the Splunkbase portal and installed and configured within the Splunk App. This will fill the Splunk index with logs from Egnyte making them searchable in Splunk for users to create their own alerts and tables.
Egnyte Collaborate Add-on on Splunkbase
The bundle is available on Splunkbase for the Egnyte Collaborate Add-on for Splunk.
Bundle Name |
SplunkBase URL |
Description |
Egnyte Collaborate Add-on for Splunk |
Egnyte Collaborate Add-on to ingest events into Splunk. |
Setting up the Egnyte Collaborate Add-on in Splunk Environment
Installing the APP in Splunk
The Egnyte Collaborate Add-on lets you collect event data from the Egnyte Collaborate product.
Before setting up the app, ensure that all of the following requirements are met:
- Proper Splunk credentials (Admin)
- Egnyte Collaborate Access
- Splunk Enterprise 7.x and above
Phase |
Task |
Description |
Install the Egnyte Collaborate Add-on in Splunk |
Download the free Egnyte Collaborate Add-on from the Splunk App store and install it. |
|
Configure Egnyte Collaborate Add-on in Splunk |
Configure Add-on in Splunk |
The user must configure the Egnyte Collaborate Add-on in their Splunk instance for Egnyte Collaborate to send data into your Splunk instance. |
Configuring Egnyte Apps
To configure EGNYTE Collaborate Add-On in Splunk Instance:
-
Go to Egnyte Collaborate Add-on.
- Click on Configuration > Account > Add.
- Enter the account, domain, and client information. Egnyte Collaborate supports OAuth 2.0.
- Click on Generate Code link to begin the authorization process and access the Egnyte Collaborate Endpoint. This would open up a new browser window where Splunk can be authorized to ingest events.
Field Name
Description
Account name
The logical name for the Input
Egnyte Domain
Egnyte Domain for this account.
Client ID
Client ID for this account.
Generate Code
Generates code for “Authorization Code.”
Client Secret
Client Secret for this Account.
Authorization Code
Paste the code that has been copied from the link.
Index
Index name in which Add-on would be collecting Egnyte Collaborate Data
Default Value: main
Follow the steps mentioned below to retrieve the Client ID and Client Secret:
-
An Admin must register an application for their domain on this link. Under Register Your New Application, choose Public Available Application as Type, New App as Current User Base, and Other as Platform.
- Egnyte Domain you will use for testing will be a trial domain. Customers can register for a trial domain if they do not already have one.
- Select the required Web APIs under Select which web APIs you will use.
- Mention Splunk Collaborate, Splunk S&G or Splunk Collaborate and S&G as the options in the Please describe what your application will do field.
- Registered OAuth Redirect URI field can be left blank.
-
Fill the other details and Click on Register.
The application will go through the verification process and will be activated upon successful verification.
-
An Admin must register an application for their domain on this link. Under Register Your New Application, choose Public Available Application as Type, New App as Current User Base, and Other as Platform.
4. It will ask for the Email ID and Password to connect to an Egnyte Account. Click on Allow Access to authorize the Splunk App. The App must authorized it with an Admin account or a power user with can run reports role. Also, the user account should not a service account.
5. Upon clicking on Allow Access, it would display a code that should be supplied back to the Splunk App. Click on Copy.
6. Go back to the Splunk Add-on configuration page, fill in the remaining details, and then click on Add.
7. Click on the Inputs tab.
8. All the inputs for the account will be Disabled.
9. Click on Action > Enabled for the inputs that need to be collected.
10. To update the input, click on Action > Edit. The input box will display all the fields. Enter the information, and click on Update.
Field Name |
Description |
Interval (in seconds) |
An interval in which an Add-on would be invoked to collect data from Egnyte Collaborate. Recommended Value: 300 |
Egnyte Domain |
Egnyte Domain for this account. |
Index |
Index name in which Add-on would be collecting Egnyte Collaborate Data Default Value: main |
Data Type |
List of data types the Add-on collects. |
Global Account |
The account is configured on the “Configuration” page. |
Start Date |
Provide Start Time in format YYYY-MM-DDTHH:MM: SSZ. Select up to the past 24 hours |
Install & Configuring add-on in a Distributed Splunk Environment
The following is the matrix of apps to be deployed in Splunk’s distributed environment.
App Name |
Search Head Instance |
Indexer Instance |
Forwarder Instance |
Egnyte Collaborate Add-on for Splunk |
No |
No |
Yes |
For information about distributed deployments for Splunk, visit Splunk’s documentation:
https://docs.splunk.com/Documentation/Splunk/7.2.4/Deploy/Deploymentcharacteristics
APPENDIX A: Various Possible Splunk Distributed Deployments
Indexer Clustering
https://docs.splunk.com/Documentation/Splunk/7.2.4/Indexer/Aboutindexesandindexers
https://docs.splunk.com/Documentation/Splunk/7.2.4/Indexer/Basicclusterarchitecture
Search Head Clustering
http://docs.splunk.com/Documentation/Splunk/7.2.4/DistSearch/Configuresearchheadpooling
Multisite Clustering
http://docs.splunk.com/Documentation/Splunk/7.2.4/Indexer/Multisitearchitecture
APPENDIX B: Event data collection in Splunk
Index
In Splunk, all application event data is stored in indexes. It is good practice to create indexes when installing the apps before any app configuration is done. Egnyte Collaborate Add-on for Splunk uses the default Splunk indexes below:
Index Name |
Created in App/Manual |
Purpose/Type of Event Data |
main |
Available as part of Splunk Framework |
All of the event data from Egnyte Collaborate would be indexed into Splunk in this index by default. |
The above index will be used to collect data from the Egnyte Collaborate Add-on for Splunk. This index should not be cleaned; otherwise, the information will be lost.
Source-type
Source-type are default Splunk fields to categorize and parse indexed data in an organized way. Below is a table showing how the Egnyte Collaborate-related event data is distributed in these fields.
Please read more about the default fields at:
https://docs.splunk.com/Documentation/Splunk/7.2.4/Data/Aboutdefaultfields
Index Name |
Source type |
Purpose/Type of event data |
main |
egnyte: connect:audit:file |
All the FILE_AUDIT events reported from Egnyte Collaborate are ingested into this SourceType. |
egnyte: connect:audit:login |
All the LOGIN_AUDIT events reported from Egnyte Collaborate are ingested into this SourceType. |
|
egnyte: connect:audit:permission |
All the PERMISSION_AUDIT events reported from Egnyte Collaborate are ingested into this SourceType. |
|
egnyte: connect:audit:user |
All the USER_AUDIT events reported from Egnyte Collaborate are ingested into this SourceType. |
|
egnyte: connect:audit:wg_settings |
All the WG_SETTINGS_AUDIT events reported from Egnyte Collaborate are ingested into this SourceType. |
|
egnyte: connect:audit:group |
All the GROUP_AUDIT events reported from Egnyte Collaborate are ingested into this SourceType. |
|
egnyte: connect:audit:workflow |
All the WORKFLOW_AUDIT events reported from Egnyte Collaborate are ingested into this SourceType. |
|
_interval |
ta:egnyteconnect:log |
All the logs from Egnyte Collaborate are ingested into this SourceType. |