Can anyone give fairly detailed instruction on how to install the Tripwire Enterprise AddOn. Our Splunk configuration is 5 servers, a search head server, 2 indexers, a heavy forwarder, and a deployment server. We have a single instance of Tripwire Enterprise and a specific user created currently with admin privileges to the console until I can get this working.
I installed the addon as directed by the TE installation instructions on my search head. I went through the setup screen, although I did not choose to use the API. Is it necessary to do that? It didn't seem like it was during setup. I copied the TA folder to my heavy forwarder and created the input locations as designated. I copied the SA folder to my indexers and also copied the two indexes from the app into my indexes.conf on my deployment server to be distributed to all my Splunk boxes so they all know about the indexes for TE.
I can do a tcpdump on my heavy forwarder and see logs coming from my TE console server, although not on port 514 as I would expect. I cannot see anything for my TE server going from my heavy forwarder to my indexers, nor do I see anything in searching in the te index on my search head. I'm fairly new to Splunk and just starting to get a handle on how to configure things. This is my first attempt at configuring an app that wasn't configured by PS, so I'm sure I have something set up incorrectly, but hoping that someone will be able to give a little better detail in how this needs to be configured as the TE installation document seems to be lacking a bit in detail. THanks.
↧