Forum Discussion

Danielle_Alpero's avatar
Danielle_Alpero
Icon for Nimbostratus rankNimbostratus
Jun 12, 2017

APM integration with splunk

Hey, i configured the free version of splunk and managed to get the \var\log\apm files, i can see the logs but the built-in dashboard for apm isnt showing data (except one chart) i think its because we run version 13 and this template of splunk was built for 11.6 is anyone tried to modify this template ? or found other creative solution ? i have to make this thing work!

 

  • Hi,

    You can have a look at the iApp Analytics written by Ken Bocchino.

    On my side, I write a custom log in the format key/value to be natively parsed by Splunk.

    You can write an icall that periodically dump (

    sessiondump --allkeys
    ) all session variables from active sessions and send it to the HTTP API of Splunk.

    Then, you have all at your disposal to build some custom dashboard based on easy to write splunk queries.

    Hope it helps

    Yann

    • CX_280703's avatar
      CX_280703
      Icon for Nimbostratus rankNimbostratus

      We have set up our APM using HSL to send our logs to our syslog server on policy completion. This works well and allows us to choose the info we send.

      when ACCESS_POLICY_COMPLETED {
        if { ![catch {set hsl [HSL::open -proto TCP -pool $static::syslogPool]} ] } {
               HSL::send $hsl "<190>    id=$static::siemId    action=auth    auth-result=\ACCESS::policy result]    dst-ip=[IP::local_addr]    src-ip=[IP::remote_addr]user=[ACCESS::session data get session.sso.token.last.username]@[ACCESS::session data get session.sso.token.last.domain]    vip=[virtual name]    use-case=[ACCESS::session data get session.sso.token.last.useCase]    ad-errmsg=[ACCESS::session data get session.ad.last.errmsg]  ad-empid=[ACCESS::session data get session.ad.last.attr.employeeID]   device=$static::location    module=APM    user-agent=[ACCESS::session data get session.user.agent]    auth-method=[ACCESS::session data get session.sso.token.last.method]    sessionID=[ACCESS::session data get session.user.sessionid] \n"
        }
      }
      
  • Hi,

    You can have a look at the iApp Analytics written by Ken Bocchino.

    On my side, I write a custom log in the format key/value to be natively parsed by Splunk.

    You can write an icall that periodically dump (

    sessiondump --allkeys
    ) all session variables from active sessions and send it to the HTTP API of Splunk.

    Then, you have all at your disposal to build some custom dashboard based on easy to write splunk queries.

    Hope it helps

    Yann

    • CX_280703's avatar
      CX_280703
      Icon for Nimbostratus rankNimbostratus

      We have set up our APM using HSL to send our logs to our syslog server on policy completion. This works well and allows us to choose the info we send.

      when ACCESS_POLICY_COMPLETED {
        if { ![catch {set hsl [HSL::open -proto TCP -pool $static::syslogPool]} ] } {
               HSL::send $hsl "<190>    id=$static::siemId    action=auth    auth-result=\ACCESS::policy result]    dst-ip=[IP::local_addr]    src-ip=[IP::remote_addr]user=[ACCESS::session data get session.sso.token.last.username]@[ACCESS::session data get session.sso.token.last.domain]    vip=[virtual name]    use-case=[ACCESS::session data get session.sso.token.last.useCase]    ad-errmsg=[ACCESS::session data get session.ad.last.errmsg]  ad-empid=[ACCESS::session data get session.ad.last.attr.employeeID]   device=$static::location    module=APM    user-agent=[ACCESS::session data get session.user.agent]    auth-method=[ACCESS::session data get session.sso.token.last.method]    sessionID=[ACCESS::session data get session.user.sessionid] \n"
        }
      }