Splunk integration

PrivX can be integrated with Splunk via syslog to gain visibility how PrivX is being used to access the target systems, namely the types of authentications and connection methods.

2576

First, configure the PrivX host's rsyslog to forward events to Splunk.

  1. Configure Splunk to receive data by adding a TCP or UDP input to a specific port and configure the PrivX host rsyslog to send events to that port on the Splunk host.

or

  1. Configure a Splunk Universal Forwarder receiver to a specific port on the Splunk host
  2. Add a new Events data type index (in this example "privx") to the Splunk installation (Note: restart Splunk)
  3. Deploy the Splunk Universal Forwarder to the PrivX host and configure it to send events to your Splunk installation
$ ./splunk add forward-server splunk-host-address:receiver-port
  1. Configure the Splunk Forwarder to monitor data in syslog
[monitor://var/log/messages]
index = privx
  1. Verify that the Splunk forwarder is active.
    (Note: Splunk only denote forwards Active when data is passing through them)
$ ./splunk list forward-server
Active forwards:
splunk-host-adddess:receiver-port
Configured but inactive forwards:
other-splunk-host-address:receive-port

Now you should start seeing PrivX events in the index "privx". To create a new dashboard which uses the index data, navigate to Splunk / Search & Reporting / Dashboards, click "Create new dashboard" and give the dashboard a name.

The dashboard starts in edit mode, click on the "Source" tab and paste the following to the source code editor.

<form>
  <label>PrivX</label>
  <fieldset submitButton="false" autoRun="true">
    <input type="time" token="timewindow">
      <label>Date range</label>
      <default>
        <earliest>-7d@h</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="dropdown" token="indexToUse">
      <label>Index to use</label>
      <fieldForLabel>index</fieldForLabel>
      <fieldForValue>index</fieldForValue>
      <search>
        <query>| eventcount summarize=false index=* | fields index | dedup index | table index</query>
        <earliest>@d</earliest>
        <latest>now</latest>
      </search>
    </input>
  </fieldset>
  <row>
    <panel>
      <chart>
        <title>Logins to PrivX</title>
        <search>
          <query>index=$indexToUse$ event IN("User-logged-in")
|bucket _time span=minute
|stats count as "Login OK" by _time
|appendcols [search index=$indexToUse$ event IN("User-login-failed")
|bucket _time span=minute
|stats count as "Login Failed" by _time]</query>
          <earliest>$timewindow.earliest$</earliest>
          <latest>$timewindow.latest$</latest>
          <refresh>10m</refresh>
          <refreshType>delay</refreshType>
        </search>
        <option name="charting.axisTitleX.text">Time</option>
        <option name="charting.axisTitleY.text">Events per minute</option>
        <option name="charting.chart">column</option>
        <option name="charting.chart.stackMode">stacked</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.legend.placement">right</option>
        <option name="height">205</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
    <panel>
      <chart>
        <title>Unique User logins</title>
        <search>
          <query>index=$indexToUse$ event IN("User-logged-in")
|bucket _time span=hour
|dedup username
|stats count by _time</query>
          <earliest>$timewindow.earliest$</earliest>
          <latest>$timewindow.latest$</latest>
          <refresh>10m</refresh>
          <refreshType>delay</refreshType>
        </search>
        <option name="charting.axisTitleX.text">Time</option>
        <option name="charting.axisTitleY.text">Unique users per hour</option>
        <option name="charting.chart">column</option>
        <option name="charting.chart.stackMode">stacked</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.legend.placement">right</option>
        <option name="height">205</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <chart>
        <title>Authorizations Granted</title>
        <search>
          <query>index=$indexToUse$ event IN("Authorization-certificate-granted")
|bucket _time span=minute
|stats count as "Certificate" by _time
|appendcols [search index=$indexToUse$ event IN("Authorization-role-key-granted")
|bucket _time span=minute
|stats count as "Public key" by _time]
|appendcols [search index=$indexToUse$ event IN("Authorization-Passphrase-returned")
|bucket _time span=minute
|stats count as "Passphrase" by _time]</query>
          <earliest>$timewindow.earliest$</earliest>
          <latest>$timewindow.latest$</latest>
          <refresh>10m</refresh>
          <refreshType>delay</refreshType>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.text">Time</option>
        <option name="charting.axisTitleY.text">Events per minute</option>
        <option name="charting.chart">column</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.stackMode">stacked</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.legend.placement">right</option>
        <option name="height">202</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
    <panel>
      <chart>
        <title>Connections Authenticated</title>
        <search>
          <query>index=$indexToUse$ (event="Connection-authenticated") (connectionType="SSH")
|bucket _time span=minute
|stats count as SSH by _time
|appendcols [search index=$indexToUse$ (event="Connection-authenticated") (connectionType="RDP")
|bucket _time span=minute
|stats count as RDP by _time]
|appendcols [search index=$indexToUse$ (event="Connection-authenticated") (connectionType="WEB")
|bucket _time span=minute
|stats count as WEB by _time]</query>
          <earliest>$timewindow.earliest$</earliest>
          <latest>$timewindow.latest$</latest>
          <refresh>10m</refresh>
          <refreshType>delay</refreshType>
        </search>
        <option name="charting.axisTitleX.text">Time</option>
        <option name="charting.axisTitleY.text">Events per minute</option>
        <option name="charting.chart">column</option>
        <option name="charting.chart.stackMode">stacked</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisEnd</option>
        <option name="charting.legend.placement">right</option>
        <option name="height">205</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <chart>
        <title>Connection types</title>
        <search>
          <query>index=$indexToUse$ event="Connection-authenticated"
| stats count by connectionType</query>
          <earliest>$timewindow.earliest$</earliest>
          <latest>$timewindow.latest$</latest>
        </search>
        <option name="charting.chart">pie</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
    <panel>
      <chart>
        <title>Web access vs Native clients</title>
        <search>
          <query>index=$indexToUse$ event="Connection-authenticated"
| stats count by SSH_PrivX_service
| replace "RDP-PROXY" WITH "Web RDP", "RDP-MITM" WITH "Native RDP", "SSH-PROXY" WITH "Web SSH", "SSH-MITM" WITH "Native SSH" IN SSH_PrivX_service</query>
          <earliest>$timewindow.earliest$</earliest>
          <latest>$timewindow.latest$</latest>
        </search>
        <option name="charting.chart">pie</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
    <panel>
      <chart>
        <title>Authentication methods</title>
        <search>
          <query>index=$indexToUse$ event="Connection-authenticated"
| eval authMethod=substr(method,0,9)
| stats count by authMethod
| replace "Password" WITH "Interactive password", "Password-" WITH "Vaulted password", "SSH-Certi" WITH "SSH certificate", "X.509-Cer" WITH "X.509 certificate", "SSH-Princ" with "SSH public key" IN authMethod</query>
          <earliest>$timewindow.earliest$</earliest>
          <latest>$timewindow.latest$</latest>
        </search>
        <option name="charting.chart">pie</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <chart>
        <title>Unique Host Targets</title>
        <search>
          <query>index=$indexToUse$ event IN("Connection-authenticated")
|bucket _time span=hour
|dedup hostID
|stats count by _time</query>
          <earliest>$timewindow.earliest$</earliest>
          <latest>$timewindow.latest$</latest>
          <refresh>10m</refresh>
          <refreshType>delay</refreshType>
        </search>
        <option name="charting.axisTitleX.text">Time</option>
        <option name="charting.axisTitleY.text">Unique targets per hour</option>
        <option name="charting.chart">column</option>
        <option name="charting.chart.stackMode">stacked</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.legend.placement">right</option>
        <option name="height">205</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
    <panel>
      <chart>
        <title>File Transfers</title>
        <search>
          <query>index=$indexToUse$ event IN("File-upload")
|bucket _time span=minute
|stats count as "Uploads" by _time
|appendcols [search index=$indexToUse$ event IN("File-download")
|bucket _time span=minute
|stats count as "Downloads" by _time]</query>
          <earliest>$timewindow.earliest$</earliest>
          <latest>$timewindow.latest$</latest>
          <refresh>10m</refresh>
          <refreshType>delay</refreshType>
        </search>
        <option name="charting.axisTitleX.text">Time</option>
        <option name="charting.axisTitleY.text">Events per minute</option>
        <option name="charting.chart">column</option>
        <option name="charting.chart.stackMode">stacked</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.legend.placement">right</option>
        <option name="height">205</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <chart>
        <title>Role Context Restriction Alert</title>
        <search>
          <query>index=$indexToUse$ event="RoleContext-usage-alert"
|bucket _time span=hour
|stats count as "Alert" by _time</query>
          <earliest>$timewindow.earliest$</earliest>
          <latest>$timewindow.latest$</latest>
          <refresh>10m</refresh>
          <refreshType>delay</refreshType>
        </search>
        <option name="charting.axisTitleX.text">Time</option>
        <option name="charting.axisTitleY.text">Alerts per hour</option>
        <option name="charting.chart">line</option>
        <option name="charting.chart.stackMode">stacked</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.legend.placement">right</option>
        <option name="height">205</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
    <panel>
      <chart>
        <title>PrivX System Errors</title>
        <search>
          <query>index=$indexToUse$ "[ERROR]"
|bucket _time span=hour
|stats count as "ERROR" by _time</query>
          <earliest>$timewindow.earliest$</earliest>
          <latest>$timewindow.latest$</latest>
          <refresh>10m</refresh>
          <refreshType>delay</refreshType>
        </search>
        <option name="charting.axisTitleX.text">Time</option>
        <option name="charting.axisTitleY.text">Errors per hour</option>
        <option name="charting.chart">line</option>
        <option name="charting.chart.stackMode">stacked</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.legend.placement">right</option>
        <option name="height">205</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <title>Top connection targets</title>
        <search>
          <query>index=$indexToUse$ event="Connection-authenticated"
| stats count by hostAddress
| sort -count</query>
          <earliest>$timewindow.earliest$</earliest>
          <latest>$timewindow.latest$</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
    <panel>
      <table>
        <title>Top connecting users</title>
        <search>
          <query>index=$indexToUse$ event="Connection-authenticated"
| stats count by username
| sort -count</query>
          <earliest>$timewindow.earliest$</earliest>
          <latest>$timewindow.latest$</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <chart>
        <title>Disk-full</title>
        <search>
          <query>index=$indexToUse$ (event="Disk-full")|bucket _time span=minute|convert rmunit(used)|stats avg(used) count by _time</query>
          <earliest>$timewindow.earliest$</earliest>
          <latest>$timewindow.latest$</latest>
          <refresh>10m</refresh>
          <refreshType>delay</refreshType>
        </search>
        <option name="charting.axisTitleX.text">Time</option>
        <option name="charting.axisTitleY.text">% Disk full</option>
        <option name="charting.chart">area</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.legend.placement">none</option>
        <option name="height">205</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
  </row>
</form>

Click save, select the index to use (in our example "privx") and enjoy the dashboard.

Was this page helpful?