Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.
Chapter 1. Installing and configuring the Red Hat Insights application for Splunk
The Red Hat Insights application for Splunk forwards selected Hybrid Cloud Console events to Splunk. The application seamlessly integrates with the Hybrid Cloud Console, so that you can focus on handling the data on the Splunk application side in the same way that you manage other sources of data. After the integration has been configured, you can view and manage Hybrid Cloud Console notifications from the Splunk dashboard without having to open the Red Hat Hybrid Cloud Console.
Contacting support
If you have any issues with the Red Hat Insights application for Splunk, contact Red Hat for support. You can open a Red Hat support case directly from the Hybrid Cloud Console by clicking Help (? icon) > Open a support case, or view more options from ? > Support options.
Splunk will not provide troubleshooting. The Red Hat Insights application for Splunk is fully supported by Red Hat.
Prerequisites
You have Splunk login credentials:
-
On Splunk Cloud Platform, you must have the Splunk Cloud Administrator
sc-admin
role. -
On Splunk Enterprise, you must have the
admin
role. For more information about creating theadmin
role, see Create secure administration credentials in the Splunk documentation.
-
On Splunk Cloud Platform, you must have the Splunk Cloud Administrator
- You have Organization Administrator permissions for the Hybrid Cloud Console.
1.1. Installing the Red Hat Insights application for Splunk
Install and configure the Red Hat Insights application for Splunk to integrate Splunk with the Hybrid Cloud Console so that Splunk can receive event notifications from the Hybrid Cloud Console. The setup automation performs the following tasks:
- Creates a user group with the Notifications administrator role using the Organization Administrator permissions. You can also create the user group manually. For more information about manual configuration, see Manually configuring a Notifications administrator group in your Hybrid Cloud Console account.
- Uses the Splunk HEC URL and HEC token to create a new integration called SPLUNK_AUTOMATION, with the integration type Splunk.
- Creates a new behavior group called SPLUNK_AUTOMATION_GROUP on the RHEL bundle. The group includes an action to send notifications to the SPLUNK_AUTOMATION Splunk integration.
- Assigns the new behavior group SPLUNK_AUTOMATION_GROUP to all Hybrid Cloud Console services. This forwards the events from all services to Splunk. Currently, the behavior group forwards events from the Advisor, Policies, Drift, Compliance, Malware Detection, Patch, and Vulnerability services.
When Splunk begins to receive notifications from the Hybrid Cloud Console, the Red Hat Insights application for Splunk dashboard shows event activity. Each number contains a hyperlink to the Hybrid Cloud Console.
Prerequisites
- You have Organization Administrator permissions for the Hybrid Cloud Console.
You have Splunk login credentials:
-
To install applications on Splunk Cloud Platform, you must have the Splunk Cloud Administrator
sc-admin
role. -
To install applications on Splunk Enterprise, you must have the
admin
role. For more information about creating theadmin
role, see Create secure administration credentials in the Splunk documentation.
-
To install applications on Splunk Cloud Platform, you must have the Splunk Cloud Administrator
- Popup blockers are disabled in your browser.
Procedure
Install the Red Hat Insights Application for Splunk:
- Log in to Splunk.
- On the home page, search for Red Hat Insights in the filter box and select it.
-
Click Install. When the installation process completes, the message
Install successful
displays. - On the home page, click the Settings menu (gear icon). The Apps page opens.
- Enter Red Hat Insights in the filter box and then click the magnifying glass. The application appears in the search results.
- On the home page, click Find more apps under the Apps heading on the left of the screen. The Browse More Apps page opens.
- Enter Red Hat Insights in the filter box and then press the Enter key. Red Hat Insights appears in the search results.
- Select Red Hat Insights.
- Click Install.
- Confirm or enter your Splunk username and password and then click Agree and Install. When the installation process completes, the Complete dialog box opens.
Set up the Red Hat Insights Application for Splunk:
- In the Complete dialog box, click Open the App. The App configuration page opens.
Click Continue to app setup page. The Set up integration with Red Hat Insights page opens. The page includes the HTTP Event Collector (HEC) name and default index fields.
- Under Create Red Hat Default Index, click Settings > Index.The Indexes page opens in a new tab.
- On the Indexes page, click New Index.
-
Type a name for the index in the Name field (for example,
redhatinsights
). - Enter values in the Max raw data size and Searchable retention (days) field.
- Click Save. The index you created appears in the Indexes list. It is enabled by default.
-
On the first Splunk screen, on the Set up integration with Red Hat page, type the name for the HEC in the HEC name field (for example,
redhatinsights
). -
Type the name of the index you just created in the Default index field (for example,
redhatinsights
). - Click Next.
- Click Review and then click Submit. The HEC name that you created appears in the HEC Name field.
Click Next to create the HEC URL and HEC Token.
Configure Splunk integration in Insights:
- Click Copy to copy the HEC URL value in Splunk Enterprise.
Click Next: Configure Splunk integration in Insights. The Hybrid Cloud Console opens in a new browser tab.
NoteThis button is disabled until you click the Copy button for either the HEC URL or HEC token.
- In the Hybrid Cloud Console, navigate to Settings > Integrations.
Paste the HEC URL value into the Splunk HEC URL field.
NoteIf the new tab for the console does not open, disable the popup blocker in your browser.
Add the port, if needed. The default port for Splunk Cloud Platform is 443. The default port for Splunk Enterprise and Splunk Cloud free trial is 8088.
Optional: If you are using Splunk Cloud, edit the HEC URL that you pasted into the Splunk HEC URL field on the Integrations page to match the Splunk Cloud format:
Use the following format for Splunk Cloud Platform on all clouds except Google Cloud Platform (GCP):
<protocol>://http-inputs-<host>.splunkcloud.com:<port>/<endpoint>
Use the following format for Splunk Cloud Platform on Google Cloud Platform (GCP):
<protocol>://http-inputs.<host>.splunkcloud.com:<port>/<endpoint>
Replace the following placeholders:
-
protocol
: Eitherhttp
orhttps
. -
host
: The name of the Splunk Cloud Platform instance that runs the HEC, followed by the domain.splunkcloud.com
. -
port
: The HEC port number (443 by default on Splunk Cloud Platform instances). endpoint
: The HEC endpoint that you want to use. In many cases, you use the/services/collector/event
endpoint for JSON-formatted events, or theservices/collector/raw
endpoint for raw events.Examples:
Splunk Cloud Platform on GCP using JSON:
https://http-inputs.myhost.splunkcloud.com:443/services/collector/event
Splunk Cloud free trial on AWS using raw events:
https://http-inputs-otherhost.splunkcloud.com:443/services/collector/raw
- Complete the setup process:
- Copy the HEC Token value in Splunk and paste it into the Splunk HEC Token field in on the Hybrid Cloud Console Integrations page.
In the Hybrid Cloud Console, click Run configuration. The Hybrid Cloud Console sets up the integration, creates the behavior group, and associates Hybrid Cloud Console events to the behavior group. The status message section on the right side of the page shows the status of each of these actions.
When the setup completes successfully, click Next: Review. The application returns the message
Splunk integration in Insights completed
.- Click Go back to the Splunk application. This redirects you to the Set up integration with Red Hat screen in Splunk.
Click Finish set up to complete the setup in Splunk.
Click Go to dashboard to be redirected to your Splunk dashboard.
NoteIf the integration configuration fails during the Insights setup process, contact Red Hat support.
To view a list of Hybrid Cloud Console events on the Splunk dashboard, click the Events tab. Each event is hyperlinked to the Hybrid Cloud Console.
Additional Resources
- Splunk Enterprise
- Install apps on your Splunk Cloud deployment
- Configure HTTP Event Collector on Splunk Enterprise
- Configure HTTP Event Collector on Splunk Cloud Platform
- Configure user access
- Configure notifications on the Red Hat Hybrid Cloud Console
- Manually configuring a Notifications administrator group in your Hybrid Cloud Console account
1.2. Enabling the HEC token
Before Splunk can receive Hybrid Cloud Console events, you must enable the HEC token.
Prerequisites
- You have Organization Administrator permissions for the Hybrid Cloud Console.
You have Splunk login credentials:
-
On Splunk Cloud Platform, you must have the Splunk Cloud Administrator
sc-admin
role. -
On Splunk Enterprise, you must have the
admin
role. For more information about creating theadmin
role, see Create secure administration credentials in the Splunk documentation.
-
On Splunk Cloud Platform, you must have the Splunk Cloud Administrator
Procedure
- From the Splunk home page, navigate to Settings.
Select Data Inputs, and then select HTTP Event Collector. The HTTP Event Collector page shows the HEC, its Token value, the corresponding index that you selected during setup, and the status of the HEC.
Click Global Settings in the upper right corner of the page. The Edit Global Settings dialog box displays.
Select Enabled. This enables the HEC token that was automatically created during the setup process.
NoteThe HEC token uses a default HTTP port number of 8088. If you are using a different port (such as port 443 for Splunk Cloud), you must update your Hybrid Cloud Console Splunk Integration to match.
Additional Resources
- For more information about the HEC token in Splunk Cloud, see Configure HTTP Event Collector on Splunk Cloud Platform in the Splunk documentation.
- For more information about setting up and using the HEC in Splunk Enterprise, see Set up and use HTTP Event Collector on Splunk Enterprise in the Splunk Enterprise documentation.
1.3. Manually configuring a Notifications administrator group in your Hybrid Cloud Console account
The Red Hat Insights application for Splunk automated installation and setup process automatically configures a Notifications administrator role and group in your Hybrid Cloud Console account. However, you can create the Notifications administrator manually.
Prerequisites
- You are logged in to the Hybrid Cloud Console with the Organization Administrator role.
Procedure
- Click Settings > Identity & Access Management.
- Under Identity & Access Management, expand User Access if necessary, and select Groups.
- Click Create group. The Name and description page appears.
-
Enter a name for the group (for example,
splunknotifgroup
), enter a description, and click Next. The Add roles page opens. -
To add the Notifications administrator role, enter
notif
in the search box. - Select Notifications administrator from the search results list, and click Next. The Add Members page opens.
- Select the users to add to this group. You can use the search box to search for specific names.
- Click Next. The Review Details page opens.
- Review the information, and click Submit to create the group.
- Click Exit. The Groups page opens.
Verification
- Enter the new group name in the search box.
- Click the group name. The page for the group opens.
- On the Roles tab, verify that the group has the Notifications administrator role.
- Click the Members tab and verify that the group includes the correct members.
1.4. Manually configuring a Splunk integration
The Red Hat Insights application for Splunk automated installation and setup process automatically configures Splunk integration to your Hybrid Cloud Console account. Use this procedure if you want to configure the integration manually.
Prerequisites
- You have an HTTP Event Collector (HEC) URL from Splunk Cloud or Splunk Enterprise.
- You have the HEC token value from Splunk Cloud or Splunk Enterprise.
- You are logged in to the Hybrid Cloud Console with the Notifications administrator role.
Procedure
- In the Hybrid Cloud Console, navigate to Settings > Integrations.
- Select the Reporting & Automation tab.
- Click Add integration.
- Select Splunk as the integration type, and click Next.
-
Enter a name for your new integration in the Integration name field (for example,
redhat_splunk
). In the Endpoint URL field, add your Splunk HEC endpoint URL:
-
For Splunk Enterprise, Splunk uses port 8088 by default. For example:
https://<splunk-endpoint>:8088
For Splunk Cloud, Splunk uses port 443. For more information about Splunk Cloud on AWS or GCP, see Send data to HTTP Event Collector.
NoteThe service automatically adds
<endpoint>
(thehttp
path). You do not need to include it in the form input for the Endpoint URL.The following examples show endpoint URLs with the correct port numbers for Splunk platforms.
-
On premise (Splunk Enterprise):
https://splunk.company.com:8088
-
Splunk Cloud (on AWS):
https://http-inputs-mycompany.splunkcloud.com:443
-
Splunk Cloud (on GCP):
https://http-inputs.mycompany.splunkcloud.com:443
-
On premise (Splunk Enterprise):
-
For Splunk Enterprise, Splunk uses port 8088 by default. For example:
- In the Secret token field, add the Splunk HEC token value.
- Click Next.
- Review the integration details and click Submit.
Additional resources
- For more information about the HEC token in Splunk Cloud, see Configure HTTP Event Collector on Splunk Cloud Platform in the Splunk documentation.
- For more information about configuring ports for Splunk Cloud, see Send data to HTTP Event Collector.
- For more information about setting up and using the HEC in Splunk Enterprise, see Set up and use HTTP Event Collector on Splunk Enterprise in the Splunk Enterprise documentation.
1.5. Additional resources
- For more information about Splunk, see the Splunk website.
- For more information about Splunkbase, see the Splunkbase website.
- For information about troubleshooting your Splunk integration, see Troubleshooting Hybrid Cloud Console integrations.