It’s been a while since I’ve been around and that’s because I’ve had a job change in these past few months. With this change comes some time on my hands and with that time, I believe I want to improve integration with BigFix and Splunk.
Currently Splunk has a Splunk for BigFix app on Splunkbase that uses Python scripts to query the Web Reports SOAP API for deployment information. While this app does bring in information, I feel there is a much better way to do it using the REST API as well as adding the potential for automatic actions to be kicked off from analytic results from Splunk directly.
Is this something that the BigFix community would be interested in seeing? I know that my previous experience with the Splunk app was that while the information was basically just a host dump with some properties attached, I always felt there was more that was unexplored because the versions of BigFix and Splunk were many years ago when the apps and scripts were developed.
Welcome back! Due to my lack of experience with it, I always love seeing more REST API info / posts. I have seen a few posts about Splunk also, so I’m sure people would find it useful.
I would also like more information on this. I have a client looking to utilize this and I don’t have any experience with putting splunk and bigfix together.
Another would be to use BigFix as a possible source for events in splunk.
Another is analyses in BigFix to audit the status of splunk on systems where it is installed. (what versions, is it running properly and communicating?, is it configured for X/Y/Z?)
Another is using BigFix to install/update/manage/configure splunk clients / forwarders / servers / etc…
Bringing this thread back up, I wonder if I could ask the BigFix community for some assistance.
The development of this integration would work best if I had as many sources of information with a plethora of events as possible. The different components of BigFix contain a lot of information and will help us paint a great picture of the health of BigFix.
To the community, if you are willing to do it, provide me some log samples of BigFix clients, server logs, audit logs, relay logs, download plug-in logs, web reports logs, and any other logs you may stumble across relating to BigFix.
I strongly recommend the longs are sanitized to remove any trace of where it came from.
Please send any sanitized samples to jimmy at splunk dot com.
I believe I have a pretty boilerplate app ready that is used just for bringing in most of the flat logs as well as a REST API call that collects the hosts of a deployment with their DNS name, IP addresses, and, if available, the MAC addresses of the network adapaters of hosts.
I need to do some finishing touches with eventtypes and tagging for events in the flat logs but I’m hoping to have it ready by Thanksgiving.
BigFix Technical Add-on for Splunk (1.0.0) is now available.
Coordination between BigFix and Splunk administrators is a really good idea. Check out the README for installation and configuration requirements.
Currently the add-on does NOT contain any eventtypes or tagging for CIM compliance but that is hopefully coming by the end of the year or early next year.
Feel free to contact me or reply here with issues.
Over the past year I’ve been doing a lot of personal development on this add-on and have found the current implementation works well in smaller environments but tends to struggle at larger scales. Further development is going on now to try to deal with the scale issues for the larger customers. Depending on the drive for customers in larger environments wanting to ingest data from more than 50k endpoints, another add-on may be introduced or this one will be updated with a new version that is compatible with larger environments.
The current version of the add-on should work comfortably in environments with ~10,000 endpoints but the higher the number of endpoints is, the higher chance the queries will start to fail or cause other issues. So to get a gauge on scale, if you want to use the add-on, I’d like to get a rough estimate on how many endpoints are in environments this could go into so please answer the poll.
I required the splunk app for bigfix earlier it was availabe in the splunk app store, the same link is shared by you but now it is not available can you please me to find the splunk app for bigfix, is their any new link or new app?
I believe this was due to the version of Splunk the app was configured to be “compatible” with. I believe it’s automatic based on versions of Splunk coming to EOL. Let me see what I can do.
EDIT: I forgot that I took 6.0.1 (the last version on Splunkbase before it was removed) and created a tree of it in my Git that I’m working to update.
I would recommend NOT using the updated version (7.0.0) as the data that backs it uses the TA that’s being reworked at the moment. But if you’re just looking for 6.0.1, the link above should be what you need.
I am trying to use your TA-bigfix app and am running in to some issues. I am unable to open the app after installing. I receive the dreaded horse-man error page: “Oops.
An error occurred while reading the page template. See web_service.log for more details Click here to return to Splunk homepage”
The only related entries in the web_service.log related to the request IDs are:
view:1054 - bypass module system fast path
Right now we are on Splunk 7.2.3. I have removed the app and re-downloaded/reinstalled.
The name of the TA has to have the “master” part removed. If you remove that, you should see what your looking for. The app in the apps directory should just be “TA-bigfix”
The workaround we use for this would be to add the certificate being presented at the time of connection to a file with a list of trusted certificates.
Export your certificate via a web browser or openssl. Splunk comes with openssl embedded in the software so you could use that in tandem with this post to export it to your host
Add the raw certificate in the same format as the others to the bottom of the file above and see if that solves your issue.
I found that the BES server does not have a cert installed. Working to correct that. The log does seem to say that the connection should still be made.
“…is not trusted, this add-on will proceed to connect with this certificate.”
Otherwise I see from the log that port 52311 is being used, but I don’t see comm between splunk and BigFix using that port. I do see a variety of other ports beings used.