Improving BigFix integration with Splunk

jmaple 2017-10-10 15:11:57 UTC #1

Greetings Programs!

It’s been a while since I’ve been around and that’s because I’ve had a job change in these past few months. With this change comes some time on my hands and with that time, I believe I want to improve integration with BigFix and Splunk.

Currently Splunk has a Splunk for BigFix app on Splunkbase that uses Python scripts to query the Web Reports SOAP API for deployment information. While this app does bring in information, I feel there is a much better way to do it using the REST API as well as adding the potential for automatic actions to be kicked off from analytic results from Splunk directly.

Is this something that the BigFix community would be interested in seeing? I know that my previous experience with the Splunk app was that while the information was basically just a host dump with some properties attached, I always felt there was more that was unexplored because the versions of BigFix and Splunk were many years ago when the apps and scripts were developed.

Sean 2017-10-11 18:08:19 UTC #2

Welcome back! Due to my lack of experience with it, I always love seeing more REST API info / posts. I have seen a few posts about Splunk also, so I’m sure people would find it useful.

Bighize65 2017-10-26 18:32:36 UTC #3

I would also like more information on this. I have a client looking to utilize this and I don’t have any experience with putting splunk and bigfix together.

jgstew 2018-04-10 19:48:36 UTC #4

Many BigFix customers have said they are interested in this. There are different possible integration points between BigFix & Splunk.

One is using BigFix to get Asset Info for Splunk.

Another would be to use BigFix as a possible source for events in splunk.

Another is analyses in BigFix to audit the status of splunk on systems where it is installed. (what versions, is it running properly and communicating?, is it configured for X/Y/Z?)

Another is using BigFix to install/update/manage/configure splunk clients / forwarders / servers / etc…

Examples:

How to configure splunk with Bigfix & syslog connector

jmaple 2018-08-13 02:17:41 UTC #5

Bringing this thread back up, I wonder if I could ask the BigFix community for some assistance.

The development of this integration would work best if I had as many sources of information with a plethora of events as possible. The different components of BigFix contain a lot of information and will help us paint a great picture of the health of BigFix.

To the community, if you are willing to do it, provide me some log samples of BigFix clients, server logs, audit logs, relay logs, download plug-in logs, web reports logs, and any other logs you may stumble across relating to BigFix.

I strongly recommend the longs are sanitized to remove any trace of where it came from.

Please send any sanitized samples to jimmy at splunk dot com.

jmaple 2018-10-19 00:53:11 UTC #6

Hitting this thread again to feel the room.

I believe I have a pretty boilerplate app ready that is used just for bringing in most of the flat logs as well as a REST API call that collects the hosts of a deployment with their DNS name, IP addresses, and, if available, the MAC addresses of the network adapaters of hosts.

I need to do some finishing touches with eventtypes and tagging for events in the flat logs but I’m hoping to have it ready by Thanksgiving.

jmaple 2018-11-17 15:48:47 UTC #7

BigFix Technical Add-on for Splunk (1.0.0) is now available.

Coordination between BigFix and Splunk administrators is a really good idea. Check out the README for installation and configuration requirements.

Currently the add-on does NOT contain any eventtypes or tagging for CIM compliance but that is hopefully coming by the end of the year or early next year.

Feel free to contact me or reply here with issues.