Splunk Reference App - Pluggable Auditing System (PAS) - Code Repo
Python JavaScript PowerShell CSS Makefile Shell Other
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
apps
build_scripts
spikes
.editorconfig
.gitattributes
.gitignore
.gitmodules
Dockerfile
LICENSE
Makefile
README.md
make.ps1
packaging_notes.md

README.md

Splunk Reference App - PAS (Update for Splunk Enterprise 6.3) - Code Repo

Version 1.5.x

Splunk Enterprise is an analytic environment that uses a distributed map-reduce architecture to efficiently index, search, and process very large time-varying data sets.

The Splunk Developer Platform enables developers to take advantage of the same underlying technologies that power the core product to build exciting new apps and solutions that are enabled by capabilities unique to Splunk Enterprise.

The Splunk Reference App - PAS teaches you how to develop apps for Splunk. Here, you can explore the evolution of the reference app along with some additional engineering artifacts, like tests, deployment considerations, and tradeoff discussions.

The accompanying Splunk Developer Guide for Building Apps presents a documentary of how the team went about building this reference app. The guide is currently available as an early preview at http://dev.splunk.com/goto/devguide. We welcome your feedback on both the app and the guide.

What Does This App Do?

The PAS app is intended to enable an organization to monitor various document repositories (current and future). Managers and auditors can use the app to see who has viewed, modified, deleted, or downloaded documents or other artifacts from various sources.

Requirements

Here's what you need to get going with the Splunk Reference App - PAS.

Splunk Enterprise

If you haven't already installed Splunk Enterprise, download it at http://www.splunk.com/download. For more information about installing and running Splunk Enterprise and system requirements, see the Installation Manual.

The main PAS app

Clone this repo. You can put the pas_ref_app folder with its content directly in the $SPLUNK_HOME/etc/apps folder. We recommend you clone it to some other working folder and create a symlink to the pas_ref_app in the $SPLUNK_HOME/etc/apps folder.

Initialize submodules. Several add-ons live in their own repositories, but have been linked into this project using git submodules for your convenience.

  • git submodule init

  • git submodule update

  • Unix/MacOS: ln -s {PATH_TO_REPOSITORY}/pas_ref_app/ $SPLUNK_HOME/etc/apps/pas_ref_app

  • Windows: mklink /D $SPLUNK_HOME\etc\apps\pas_ref_app {PATH_TO_REPOSITORY}\pas_ref_app\

Getting data in

There are several ways for you to feed data into the PAS app.

  • Ingest your own data. Just make sure those sources are tagged with "change" and "audit",
  • Use the eventgen app, if you want a simulated data flow. Get it from http://dev.splunk.com/goto/deveventgen, or
  • Consume the test data set provided in the test repo.

Install dependencies

The reference app relies on data provider add-ons. Three simulated data providers (file add-on, documents app add-on, database add-on) and one real data provider (Google Drive Data Provider add-on) are made available. Install at least one data provider. You'll find the install scripts for Unix/MacOS and Windows in the /bin folder.

For the Google Drive data provider installation and configuration, see specific instructions in the Google Drive Addon README.

For the JIRA custom alert action installation and configuration, see specific instructions in the JIRA Alerts Addon README.

The reference app uses a lookup table which could have been produced by an HR system process. For demonstration purposes, we have encapsulated it in the HR info addon folder.

(Optional) Certain reference app functionality requires an identity provider. We have used a simulated identity provider.

Configure user access

Create a new user that belongs to the pasadmin or pasuser role, and log in as this new user.

Alternatively, add index 'pas' to the default searchable indexes by going to Splunk Settings -> Access controls -> Role -> admin -> Indexes searched by default and adding 'pas' into the list of default search indexes.

Note: if you are using a Splunk Free license, integrated role-based access control is not available.Thus, you will not be able to add new users or roles and should use the alternative method of adding the pas to the list of indexes searched by default.

Configure the app using the Setup page

Specify at least one department that you want to surface on the Summary dashboard.

Usage

For usage see the About page of the app.

Community and Feedback

Questions, comments, suggestions? To provide feedback about this release, to get help with any problems, or to stay connected with other developers building on Splunk please visit the http://answers.splunk.com community site.

File any issues on GitHub.

Community contributions via pull requests are welcomed! Go to the Open Source page for more information.

License

The Splunk Reference App - PAS is licensed under the Apache License 2.0. Details can be found in the LICENSE file.