Release Date: Egnyte Collaborate Add-on for Splunk v1.0.0; July 19, 2021
Overview
Egnyte Collaborate Add-on for Splunk provides insights based on incidents raised by chosen events in Egnyte's Collaborate product. This enables Splunk administrators to track enterprise-wide audit logs identified by Egnyte's Collaborate product directly through the Splunk App.
The Egnyte Collaborate TA (Technology Add-On) will be downloadable from the Splunkbase portal and installed and configured within the Splunk App. This will fill the Splunk index with logs from Egnyte that will make them searchable in Splunk for users to create their own alerts and tables.
Egnyte Collaborate Add-on on Splunkbase
The bundle is available on Splunkbase for the Egnyte Collaborate Add-on for Splunk.
Bundle Name |
SplunkBase URL |
Description |
Egnyte Collaborate Add-on for Splunk |
Egnyte Collaborate Add-on to ingest events into Splunk. |
Setting up the Egnyte Collaborate Add-on in Splunk Environment
Installing the APP in Splunk
The Egnyte Collaborate Add-on lets you collect event data from the Egnyte Collaborate product.
Before you set up the app, ensure that you meet all of the following requirements:
- Proper Splunk credentials (Admin)
- Egnyte Collaborate Access
- Splunk Enterprise 7.x and above
Phase |
Task |
Description |
Install the Egnyte Collaborate Add-on in Splunk |
Download the free Egnyte Collaborate Add-on from the Splunk App store and install it. |
|
Configure Egnyte Collaborate Add-on in Splunk |
Configure Add-on in Splunk |
You must configure the Egnyte Collaborate Add-on in your Splunk instance for Egnyte Collaborate to send data into your Splunk instance. |
Configuring Egnyte Apps
Configure EGNYTE Collaborate Add-On in Splunk Instance
1. Go to Egnyte Collaborate Add-on.
2. Click on Configuration > Account > Add
3. First, enter your account, domain, and client information. Egnyte Collaborate supports OAuth 2.0. To begin the Authorization process, Click on “Generate Code” to access the Egnyte Collaborate Endpoint. This would open up a new browser window for you to authorize Splunk to ingest events.
Field Name |
Description |
Account name |
The logical name for the Input |
Egnyte Domain |
Egnyte Domain for this account. |
Client ID |
Client ID for this account. |
Generate Code |
Generates code for “Authorization Code.” |
Client Secret |
Client Secret for this Account. |
Authorization Code |
Paste the code that has been copied from the link. |
Index |
Index name in which Add-on would be collecting Egnyte Collaborate Data Default Value: main |
To retrieve your Client ID and Client Secret, please reach out to our team at splunk@egnyte.com
4. It would be asking for your Email ID and Password to connect to an Egnyte Account. Click on “Allow” to authorize the Splunk App. You must authorize it with a full Admin account (not a service account).
5. Upon clicking on Allow, it would display a code that we would then have to supply back to the Splunk App. Click on Copy.
6. Go back to the Splunk Add-on configuration page, fill in the remaining details, and then click on Add.
7. Click on the Inputs tab.
8. All the inputs for the account are “Disabled."
9. Click on Action > Enabled of the input you want to collect.
10. To update the input, click on Action > Edit. The input box will display all the fields. Update the information you want to update, and click on Update.
Field Name |
Description |
Interval (in seconds) |
An interval in which an Add-on would be invoked to collect data from Egnyte Collaborate. Recommended Value: 300 |
Egnyte Domain |
Egnyte Domain for this account. |
Index |
Index name in which Add-on would be collecting Egnyte Collaborate Data Default Value: main |
Data Type |
List of data types the Add-on collects. |
Global Account |
The account is configured on the “Configuration” page. |
Start Date |
Provide Start Time in format YYYY-MM-DDTHH:MM: SSZ. Select up to the past 24 hours |
Install & Configuring add-on in a Distributed Splunk Environment
The following is the matrix of apps to be deployed in Splunk’s distributed environment.
App Name |
Search Head Instance |
Indexer Instance |
Forwarder Instance |
Egnyte Collaborate Add-on for Splunk |
No |
No |
Yes |
For information about distributed deployments for Splunk, please visit Splunk’s documentation:
https://docs.splunk.com/Documentation/Splunk/7.2.4/Deploy/Deploymentcharacteristics
APPENDIX A: Various Possible Splunk Distributed Deployments
-
Indexer Clustering
https://docs.splunk.com/Documentation/Splunk/7.2.4/Indexer/Aboutindexesandindexers
https://docs.splunk.com/Documentation/Splunk/7.2.4/Indexer/Basicclusterarchitecture
-
Search Head Clustering
http://docs.splunk.com/Documentation/Splunk/7.2.4/DistSearch/Configuresearchheadpooling
-
Multisite Clustering
http://docs.splunk.com/Documentation/Splunk/7.2.4/Indexer/Multisitearchitecture
APPENDIX B: Event data collection in Splunk
-
Index
In Splunk, all application event data is stored in indexes. It is good practice to create indexes when installing the apps before any app configuration is done. Egnyte Collaborate Add-on for Splunk uses the default Splunk indexes below:
Index Name |
Created in App/Manual |
Purpose/Type of Event Data |
main |
Available as part of Splunk Framework |
All of the event data from Egnyte Collaborate would be indexed into Splunk in this index by default. |
The above index will be used to collect data from the Egnyte Collaborate Add-on for Splunk. This index should not be cleaned; otherwise, the information will be lost.
-
Source-type
Source-type are default Splunk fields to categorize and parse indexed data in an organized way. Below is a table showing how the Egnyte Collaborate-related event data is distributed in these fields.
Please read more about the default fields at:
https://docs.splunk.com/Documentation/Splunk/7.2.4/Data/Aboutdefaultfields
Index Name |
Source type |
Purpose/Type of event data |
main |
egnyte: connect:audit:file |
All the FILE_AUDIT events reported from Egnyte Collaborate are ingested into this SourceType. |
egnyte: connect:audit:login |
All the LOGIN_AUDIT events reported from Egnyte Collaborate are ingested into this SourceType. |
|
egnyte: connect:audit:permission |
All the PERMISSION_AUDIT events reported from Egnyte Collaborate are ingested into this SourceType. |
|
egnyte: connect:audit:user |
All the USER_AUDIT events reported from Egnyte Collaborate are ingested into this SourceType. |
|
egnyte: connect:audit:wg_settings |
All the WG_SETTINGS_AUDIT events reported from Egnyte Collaborate are ingested into this SourceType. |
|
egnyte: connect:audit:group |
All the GROUP_AUDIT events reported from Egnyte Collaborate are ingested into this SourceType. |
|
egnyte: connect:audit:workflow |
All the WORKFLOW_AUDIT events reported from Egnyte Collaborate are ingested into this SourceType. |
|
_interval |
ta:egnyteconnect:log |
All the logs from Egnyte Collaborate are ingested into this SourceType. |