Splunk Configuration

indexes.conf

Given the sensitive nature of the data that we expect to receive and the possibility that somebody might accidentally disable the encryption step, best practice is to put these events into their own index and limit access to only the required roles.

[secured_index]
coldPath = $SPLUNK_DB/secured_index/colddb
enableDataIntegrityControl = 0
enableTsidxReduction = 0
homePath = $SPLUNK_DB/secured_index/db
maxTotalDataSizeMB = 5120
thawedPath = $SPLUNK_DB/secured_index/thaweddb

Props.conf

Next, we’ll set up a sourcetype for the logs. This should at very least cover the Splunk “Great Eight” props.conf attributes. Splunk does an amazing job of detecting things such as line breaks and timestamps automatically, but doing this is computationally costly and can add up over time.

[encrypted_logs]
disabled=false
pulldown_type = 1
category = Structured
description = Field-encrypted JSON
KV_MODE = json
SHOULD_LINEMERGE=true
LINE_BREAKER=([\r\n]+)
NO_BINARY_CHECK=true
CHARSET=UTF-8
TRUNCATE = 9999
MAX_TIMESTAMP_LOOKAHEAD=19
EVENT_BREAKER=([\r\n]+)
EVENT_BREAKER_ENABLE=TRUE
TIME_PREFIX={“timestamp”:”
TIME_FORMAT=%Y-%m-%d %H:%M:%S

Install the Cribl for Splunk

Head on over to Cribl’s website and download the latest version of the Cribl App for Splunk. Install this as you would any other Splunk app. Please note that in later steps we’ll add some decryption keys to this app, so if you’re using a search head cluster deployer, remember to put the keys there (as opposed to on each SH individually).

 

image3.png

 

Encrypted Data Consumer Roles

Cribl LogStream encrypts data using keys assigned to classes. The Cribl app for Splunk includes capabilities that we need to assign to the roles that our viewers of encrypted data inhabit. The capabilities are named in the format cribl_keyclass_* and can be assigned as needed through the Splunk’s access controls configuration.

image1.png

 

image2.png

 

Next up

For now, that’s all the Splunk configuration we’ll need to do. In the next section we’ll discuss configuring Cribl LogStream to receive, encrypt and forward events.