Improving BigFix integration with Splunk

jmaple 2017-10-10 15:11:57 UTC #1

Greetings Programs!

It’s been a while since I’ve been around and that’s because I’ve had a job change in these past few months. With this change comes some time on my hands and with that time, I believe I want to improve integration with BigFix and Splunk.

Currently Splunk has a Splunk for BigFix app on Splunkbase that uses Python scripts to query the Web Reports SOAP API for deployment information. While this app does bring in information, I feel there is a much better way to do it using the REST API as well as adding the potential for automatic actions to be kicked off from analytic results from Splunk directly.

Is this something that the BigFix community would be interested in seeing? I know that my previous experience with the Splunk app was that while the information was basically just a host dump with some properties attached, I always felt there was more that was unexplored because the versions of BigFix and Splunk were many years ago when the apps and scripts were developed.

Sean 2017-10-11 18:08:19 UTC #2

Welcome back! Due to my lack of experience with it, I always love seeing more REST API info / posts. I have seen a few posts about Splunk also, so I’m sure people would find it useful.

Bighize65 2017-10-26 18:32:36 UTC #3

I would also like more information on this. I have a client looking to utilize this and I don’t have any experience with putting splunk and bigfix together.

jgstew 2018-04-10 19:48:36 UTC #4

Many BigFix customers have said they are interested in this. There are different possible integration points between BigFix & Splunk.

One is using BigFix to get Asset Info for Splunk.

Another would be to use BigFix as a possible source for events in splunk.

Another is analyses in BigFix to audit the status of splunk on systems where it is installed. (what versions, is it running properly and communicating?, is it configured for X/Y/Z?)

Another is using BigFix to install/update/manage/configure splunk clients / forwarders / servers / etc…

Examples:

How to configure splunk with Bigfix & syslog connector

jmaple 2018-08-13 02:17:41 UTC #5

Bringing this thread back up, I wonder if I could ask the BigFix community for some assistance.

The development of this integration would work best if I had as many sources of information with a plethora of events as possible. The different components of BigFix contain a lot of information and will help us paint a great picture of the health of BigFix.

To the community, if you are willing to do it, provide me some log samples of BigFix clients, server logs, audit logs, relay logs, download plug-in logs, web reports logs, and any other logs you may stumble across relating to BigFix.

I strongly recommend the longs are sanitized to remove any trace of where it came from.

Please send any sanitized samples to jimmy at splunk dot com.

jmaple 2018-10-19 00:53:11 UTC #6

Hitting this thread again to feel the room.

I believe I have a pretty boilerplate app ready that is used just for bringing in most of the flat logs as well as a REST API call that collects the hosts of a deployment with their DNS name, IP addresses, and, if available, the MAC addresses of the network adapaters of hosts.

I need to do some finishing touches with eventtypes and tagging for events in the flat logs but I’m hoping to have it ready by Thanksgiving.

jmaple 2018-11-17 15:48:47 UTC #7

BigFix Technical Add-on for Splunk (1.0.0) is now available.

Coordination between BigFix and Splunk administrators is a really good idea. Check out the README for installation and configuration requirements.

Currently the add-on does NOT contain any eventtypes or tagging for CIM compliance but that is hopefully coming by the end of the year or early next year.

Feel free to contact me or reply here with issues.

jmaple 2019-08-15 16:16:21 UTC #8

Greetings once again, BigFixers!

Over the past year I’ve been doing a lot of personal development on this add-on and have found the current implementation works well in smaller environments but tends to struggle at larger scales. Further development is going on now to try to deal with the scale issues for the larger customers. Depending on the drive for customers in larger environments wanting to ingest data from more than 50k endpoints, another add-on may be introduced or this one will be updated with a new version that is compatible with larger environments.

The current version of the add-on should work comfortably in environments with ~10,000 endpoints but the higher the number of endpoints is, the higher chance the queries will start to fail or cause other issues. So to get a gauge on scale, if you want to use the add-on, I’d like to get a rough estimate on how many endpoints are in environments this could go into so please answer the poll.

How many endpoints are in your environment?

1-99
100-4999
5000-19999
20000-49999
50000+

0 voters

Show results

DerrickD 2019-08-15 20:11:05 UTC #9

We’re new to BigFix, but are very interested to add this integration as we get started.

Akshay19 2019-08-26 07:16:42 UTC #10

Hi Jmaple,

I required the splunk app for bigfix earlier it was availabe in the splunk app store, the same link is shared by you but now it is not available can you please me to find the splunk app for bigfix, is their any new link or new app?

jmaple 2019-08-26 17:49:23 UTC #11

I believe this was due to the version of Splunk the app was configured to be “compatible” with. I believe it’s automatic based on versions of Splunk coming to EOL. Let me see what I can do.

EDIT: I forgot that I took 6.0.1 (the last version on Splunkbase before it was removed) and created a tree of it in my Git that I’m working to update.

I would recommend NOT using the updated version (7.0.0) as the data that backs it uses the TA that’s being reworked at the moment. But if you’re just looking for 6.0.1, the link above should be what you need.

_bsmith 2019-09-06 15:01:10 UTC #12

Hi jmaple,

I am trying to use your TA-bigfix app and am running in to some issues. I am unable to open the app after installing. I receive the dreaded horse-man error page: “Oops.
An error occurred while reading the page template. See web_service.log for more details Click here to return to Splunk homepage”

The only related entries in the web_service.log related to the request IDs are:
view:1054 - bypass module system fast path

Right now we are on Splunk 7.2.3. I have removed the app and re-downloaded/reinstalled.

Any ideas or suggestions?

jmaple 2019-09-06 15:11:50 UTC #13

The name of the TA has to have the “master” part removed. If you remove that, you should see what your looking for. The app in the apps directory should just be “TA-bigfix”

_bsmith 2019-09-06 17:52:07 UTC #14

Thanks, so much. That worked! I appreciate the quick response.