Splunk Integration with Active Directory/LDAP

Most of the companies want to integrate their Splunk installation to centralised authentication system. The main article in Splunk docs describe it in concise manner, but this article is to do the integration in a practical manner including the code.

LDAP/Active Directory : Purpose of Integration

To authenticate users via Active Directory (AD)
To associate users to roles
To centralise management of users/roles
To collect Identity list from Active Directory subsystems

Modular App(s)

I always tend to create specific apps for every functionality. For integration of Splunk, the app I would create is something like

A_prod_ldap_auth (the naming convention implies the integration into PROD, ldap for authorisation purposes)

Contents of the app

Authorization mainly is done using two conf files

authentication.conf - configuring authentication with LDAP
authorize.conf - configure roles and granular access controls

Both these files can be configured and customised and put into the A_prod_ldap_auth app to make it isolated. You can then deploy this app to your Splunk deployment (both standalone & clustered) and it will work like a charm

Working Code Example

Full App in github

Comments

Splunk : Transform data further from already transformed data

In many circumstances, you may need to extract or transform a data which has just been extracted by another transform. Please see a below case whereby the _raw needs to have a new sourcetype (index time), then on such modified sourcetype you need to extract the fields , and one of the extracted fields itself is an XML. We can achieve all this using props.conf and transforms.conf within an app (or local/ directory of your existing app) In props.conf # ================================================================= # These are executed in the same order that they appear in the list so ORDER CAREFULLY! [incoming_sourcetype] TRANSFORMS-sourcetype = rename_mySourcetype [mySourcetype] # Search Time extractions by REPORT REPORT-mySourcetype = my_deep_extraction_1, my_deeper_extraction_2, my_deeper_extraction_3 # ================================================================= In transforms.conf # ====================...

Naming Standards for Splunk Objects

Every software architect or developer would know the importance of "naming conventions". But this may not be the case with the business users, admins or Project Managers. Hence as a Splunk Administrator my first job is to define the naming conventions of Splunk Objects Splunk Objects What do you mean by Splunk objects? Splunk object refers to any configuration item(s) that are under the control of your team. For example, a dashboard you created, a custom splunk app, a report etc. For the splunk objects you may not have direct control, the naming conventions may not apply. So the conventions can be applied only to the objects that are created by you/your team and which you have FULL control. Ensure you are well familiar with Splunk configuration file precedence to understand the object precedence as the naming convention should be built upon it. Naming Conventions and Methodology Ensure if your organisation have a naming convention methodology? Use camelCase (not underscores...

iSplunker - Splunk for pros

Search This Blog