How to integrate Endpoint Central (on-premises) with Splunk?
By integrating ManageEngine Endpoint Central with Splunk, organizations reap numerous benefits. This integration gives you visibility by consolidating all vulnerability data in one place for easy monitoring and management. Splunk’s advanced analytics gives you a deep dive into vulnerability trends, patterns and anomalies so you can prioritize remediation based on risk assessments and impacts. Customize your dashboards and reports with Splunk flexibility to present vulnerability data in a clear and actionable way. Overall integrating Splunk with Endpoint Central enhances vulnerability management by leveraging Splunk’s advanced analytics, real-time monitoring and visualization capabilities.
Note: Splunk integration feature is available on build DC-11.3.2430.01 and above.
This section talks about:
Installing the ManageEngine Endpoint Central (on-premises) add-on in Splunk
- Navigate to the Splunk Home page.
- In the Header menu, click on Apps.
- Select Find More Apps to be redirected to Splunk's Marketplace.
- Search for the ManageEngine Endpoint Central Add-On app.
- Click Install and enter your username and password.
- Click Agree and Install and now you can access the application from the Splunk home page or the Apps menu.
Creating a CA-Bundle (Certificate Authority bundle) for SSL validation
- Navigate to the Endpoint Central On-premises Server installation directory on your system. Then, go to the %EC Home Dir% -> nginx -> conf folder.
- Open the server.crt file with a text editor and copy the contents of the certificate file.
- Now go to the Splunk installation directory on your system.
- Navigate to %Splunk Home Dir% -> etc -> apps -> TA-manageengine-endpoint-central-add-on.
- Within the TA-manageengine-endpoint-central-add-on folder, create a new folder named certificates
- Inside the certificates folder, create a new text file and rename it to ec.ca-bundle
- Open the ec.ca-bundle file with a text editor and paste the contents of the server.crt file from the Endpoint Central On-premises server installation directory into the ec.ca-bundle
- Save and close the ec.ca-bundle file.
Generating an Auth-Token in Endpoint Central (on-premises)
Configuring the app in Splunk with the Endpoint Central (on-premises) server
- Navigate to the Inputs tab in Splunk and click on the Create New Input button.
- In the pop-up window, enter all the required information. From the Global Account dropdown, select the configured Endpoint Central On-prem server.
- Then, click the Add button. If all inputs are valid, the input will be added successfully.
Valid Inputs:
- Name: Unique name without any white spaces.
- Interval: In seconds, must be between 3600 and 86400.
- Index: Default.
- Global Account: Endpoint Central On-prem server configured in the configuration section.
- The added input will then get displayed.
Viewing data in Splunk
- Navigate to the Search tab in the app.
- Once an input is configured, synchronization with the Endpoint Central server will begin, and data will start posting to Splunk.
Currently, only vulnerability data from Endpoint Central is posted to Splunk.
- The vulnerability data will be posted under the sourcetype: manageengine:ec:vulnerability
- To view the posted data, use the following command:
index=* sourcetype="manageengine:ec:vulnerability"
Initiating Full Sync
Configuring Multiple Endpoint Central Servers in Splunk
- Whenever you add a new On-Prem Endpoint Central server in Splunk, include the contents of the server.crt file in the existing ec-ca-bundle file.
- Refer to the steps in Creating a CA-Bundle for SSL Validation to copy the contents of the server.crt file.
- Append the copied contents to the end of the already created ec-ca-bundle file.
- Finally, follow the instructions in Configuring App in Splunk with Endpoint Central On-premises server to complete the configuration.
Kindly contact support for any queries.