Scrutinizer for Splunk Application

Overview

What does the Scrutinizer for Splunk Application do?

Splunk Searches from Scrutinizer Reports and Alarms

The following are the steps necessary to search Splunk’s database from Scrutinizer reports.

  1. Select a Scrutinizer report that includes IP addresses

    1. Select a host of interest and click on it
    2. Select ‘Other Options’ from the Reports menu
    3. Select ‘Search Splunk’
  2. The IP address and report timeframe are passed to Splunk’s search engine for detailed Splunk reporting.

For further details (from Splunk) on Scrutinizer Alarms, follow these steps.

  1. Go to the Alarms tab in Scrutinizer and select either:

    1. Bulletin Board by Violator

      1. Select the violator desired
    2. Bulletin Board by Policy

      1. Select the policy desired
  2. In the Bulletin Board Events view that opens, click on the dropdown arrow to the left of the Message column for the alarm selected.

  3. Select ‘Search Splunk’ from the Available Options menu and the Violator’s IP address and timeframe of the violation are passed to Splunk.

    • If the Violator’s IP address and an alarm time (not timeframe) are being passed, then 30 minutes before and after the alarm time is searched.

Scrutinizer Reporting from within Splunk

With the Scrutinizer for Splunk Application, dashboards can be setup which include:

  • Scrutinizer Vitals information
  • Flow Analytics TopN Algorithms

The Default Dashboard view for the Scrutinizer - Splunk Application is the Vitals information which includes:

  • CPU
  • Memory
  • Disk Usage
  • Flows per collector
  • Status per collector

Other Splunk menus can include links to the Scrutinizer tabs:

  • Dashboards
  • Maps
  • Status and Reports
  • Alarms
  • Admin and Settings

Additionally, panels can be created which are based on the TopN Algorithm gadgets from Flow Analytics:

  • Top Applications
  • Top Countries
  • Top Rev 2nd lvl Domains (Top reverse 2nd level domains)
  • Top Flows
  • Top Hosts
  • Top Jitter
  • Top Networks
  • and more…

Note

Clicking on any entities in the graphs or detail in a table report will run a Splunk search for that detail and time range. As mentioned earlier, those searches can also be initiated directly from Scrutinizer reports or alarms.

A menu can be added which consists of useful links on our website:

How to Configure Splunk Integration with Scrutinizer

There are two components to the Splunk Integration.

  • Preparing Scrutinizer
  • Installing the Scrutinizer for Splunk Application on Splunk

Preparing Scrutinizer

Note

Flow Analytics must be enabled and collecting statistics for the Top X Algorithms.

The following configuration instructions apply to Scrutinizer v16.7 and later. If an earlier version of Scrutinizer is installed, contact Plixer directly for assistance.

  1. Log on to the Scrutinizer server with administrative permissions

  2. To enable the Scrutinizer/Splunk integration, from the command line:

    1. Run:

      /home/plixer/scrutinizer/bin/scrut_util.exe

    2. At the SCRUTINIZER> prompt, run:

      SCRUTINIZER> enable splunk http://<ip:port> <syslog port>

      <ip:port> is Splunk IP address and port

      <syslog port> is port used to send syslogs to Splunk

After a few moments, Scrutinizer will begin to export data to Splunk.

Installing the Scrutinizer for Splunk Application on Splunk

The Scrutinizer for Splunk App displays details that have been collected and processed by Scrutinizer. For more information, visit Plixer’s Splunk Integration page.

  1. Download the Splunk Plugin using the link at the bottom of the Splunk Integration page.

  2. Log into Splunk

  3. Click “Apps > Manage Apps”

  4. Click “Install app from file”

  5. Click “Choose File” and locate the PlixerScrutinizerForSplunk.spl file within the Splunk Plugin file downloaded in Step 1.

    1. If upgrading the plugin, click the “Upgrade App” checkbox below the “Choose File” button.
  6. Click the “Upload” button.

  7. Follow the onscreen instructions and restart Splunk.

  8. Navigate to the “Apps > Manage Apps” menu.

  9. Locate the “Scrutinizer for Splunk” app in the list below and click the “View Objects” link associated to the application.

  10. Locate the “Default” link and click it.

  11. Replace the text “http://ADD_SCRUTINIZER_ADDR_HERE” with the link to the desired Scrutinizer server. (e.g. https://10.1.1.12:88)

  12. Click the “Save” button and then access the Scrutinizer application in the Apps menu.

After a few minutes data will begin to show up in Splunk and the graphs will begin to fill in.