Given the sensitive nature of the data that we expect to receive and the possibility that somebody might accidentally disable the encryption step, best practice is to put these events into their own index and limit access to only the required roles.
Next, we’ll set up a sourcetype for the logs. This should at very least cover the Splunk “Great Eight” props.conf attributes. Splunk does an amazing job of detecting things such as line breaks and timestamps automatically, but doing this is computationally costly and can add up over time.
Install the Cribl for Splunk
Head on over to Cribl’s website and download the latest version of the Cribl App for Splunk. Install this as you would any other Splunk app. Please note that in later steps we’ll add some decryption keys to this app, so if you’re using a search head cluster deployer, remember to put the keys there (as opposed to on each SH individually).
Encrypted Data Consumer Roles
Cribl LogStream encrypts data using keys assigned to classes. The Cribl app for Splunk includes capabilities that we need to assign to the roles that our viewers of encrypted data inhabit. The capabilities are named in the format cribl_keyclass_* and can be assigned as needed through the Splunk’s access controls configuration.
For now, that’s all the Splunk configuration we’ll need to do. In the next section we’ll discuss configuring Cribl LogStream to receive, encrypt and forward events.