Splunk and Logstash (ELK) integration for audit logs with v11.7.0

As you continuously discover your IT infrastructure, it is easy for the Device42 audit data to grow rapidly possibly even to the point where it impacts the performance of your virtual appliance. Moreover, this data doesn’t necessarily contain the context you need to understand the changes fully. Device42’s audit data can be more relevant and provide better context if seen with other changes from your network like events and triggers from other monitoring, logging or security tools. With that in mind, we have added an option to send all the audit data continuously to external logging systems like Splunk or Logstash. Details below.

Storing audit logs in external systems – logstash or splunk


media_1483987815648-1-1.png

At a high level – you can configure Logging Integration from the Reports > Log Integration.
You can choose Splunk or Logstash and add credentials. It will connect with the log server and upon success save the integration. It will generate a D42 Audit ID for that instance and that will be the unique key in the logging system to differentiate the Device42 records from other records.

Once the integration is enabled, all the audit data is sent to the external system and deleted from Device42. However, all the data is still visible from the Device42 interface (all features work the same as they do with local audit data). Device42 will retrieve the audit data in real time from the external logging system to display in the UI.

Important – with this integration enabled, audit data is no longer kept in Device42 and only stored in the external system. This means that you will have make sure that you are setting up backup on the external log system.

Below we discuss details on both of these products separately.

Splunk

To be able to send the audit data to Splunk, you have enable Splunk HTTP Event Collector (HEC). More details here: http://dev.splunk.com/view/event-collector/SP-CAAAE6M

Once the plugin is setup and enabled, you can enable the integration on Device42 side.

Logstash (ELK)

Logstash integration will work with the input and output as configured below (as of now). We will add more options for different output configurations in the future:

Input:
We require logstash-input-http to be configured to send audit data to logstash.
Here is a blog post explanation: https://www.elastic.co/blog/introducing-logstash-input-http-plugin

Output:
Output should be configured like following for us to show the audit data in Device42:

output {
    elasticsearch {
        index => "logstash_http-%{+YYYY.MM.dd}"
        hosts => ["localhost"]
    }

Store 32bit vs 64bit with the OS properties of a device


media_1483987878893-1-1.png

Device operating system now shows 32 bit vs 64 bit architecture (if available) as well.

API changes

  • Added filter for fstype and and filesystem for /api/1.0/device/mountpoints
  • Add client service and appcomp_ids to listener_connection_stats API call
  • Add device filters to appcomp API GET call /api/1.0/appcomps/

Big fixes

  • Fixed UI issue saving user assigned to software in user from software edit page.
  • If a a tag was changed for an object – it was not showing in the audit log. Now fixed.
  • If a device had more than 500 parts, the edit page will take forever to load and save. Now fixed.

Get started on better correlations with Device42 and event data from other tools

If you haven’t given Device42 a try yet, you can download a free trial from: http://www.device42.com/download/

Existing customers can grab the latest update file from: http://www.device42.com/update/