Tips for Splunk integration with STIG automation compliance software
By Joe Montgomery
If you have Splunk currently deployed in your environment, you should already be aware of the platform’s expansive capabilities, but if you have not integrated your reports with Splunk, there are some key benefits of integrating the two that could make your life easier at auditing time. This article will go over a few tips for Splunk integration with STIG automation compliance software such as ConfigOS, what to watch out for, and some recommendations based on my time with the two platforms.
Regular Expressions Are Your Friend
Learn to love regular expressions, they are a powerful tool to grab the data you seek when searching. Whether you need to grab ConfigOS reports with similar compliance results or looking for a specific endpoint by name or IP address, a regular expression will be able to find it if it is formatted correctly. To expand on that last point about formatting, the most helpful tool for writing regular expressions is Regex101. This is a free online tool that will help you format and, more importantly, test out your regex statements to make sure they are grabbing the correct data. Here is a link to the tool, https://regex101.com.
To Forward Data…and Beyond!
The universal forwarder is the best way to get data into Splunk using STIG remediation software such a ConfigOS. The setup is relatively straight forward, and all that is required is to point the forwarder at your central Splunk instance. The forwarder allows you to have Splunk installed on Linux distro while running STIG automation software on a Windows machine, in general, it will allow you to distribute workloads across your environment correctly. One thing to keep in mind when configuring your data inputs in Splunk is that Splunk will not pull in files that are longer than the 256 character limit in Windows. For any files that are longer than 256 characters, Splunk will bypass the files and not ingest them. Splunk will not recognize long path support, which is part of recent Windows releases, and will bypass those files. The easiest way to tell if your running into this issue with a set of reports not being pulled into Splunk is to try renaming the files themselves by adding a “1” at the end, and Windows should show an error saying that the path is too long.
Don’t get stuck in the “GUI” properties
In configuring the various properties within Splunk, in most instances where you need to add settings to a source type, index, or data input, it is best to make the changes to the local files that control what properties are set. When changing the advanced properties in a source type, the GUI will look like it is saving what you are changing, but when going back to double-check your changes, some of the settings will disappear. This way of editing the files is also a good sanity check to verify that your changes were made with the proper syntax. Upon startup, Splunk will run a check on all of its properties and input files to ensure the syntax is correct and that it understands what configurations are set.
These couple of tips and tricks should help you are on your journey with Splunk integration with STIG compliance automation software such as ConfigOS!
About the author:
Joe recently joined SteelCloud as an Implementation Specialist, to assist customers with their implementation and automation needs in order to help them effectively utilize SteelCloud’s ConfigOS software. Joe has spent the bulk of his decade long career in the MSP field where he maintained infrastructure and innovated solutions for the SMB market as well as enterprise level businesses.