Intermapper works with Splunk by sending syslog entries in a specific format when an Intermapper device changes state. An add-on application in Splunk allows you to analyze and view various events through an Intermapper-specific dashboard.
Use the information below to connect Intermapper to Splunk.
To use Splunk with Intermapper, you need:
- A local or remote installation of Splunk Enterprise.
- The Intermapper web server must be running.
- The Splunk machine must have access to the Intermapper server.
- A syslog notifier that sends information to Splunk must be attached to all devices you want to track with Splunk.
In order to use Splunk and Intermapper together, you need to do the following:
- Prepare Intermapper. This includes enabling the Web server, adding a syslog notifier for Splunk, and setting the syslog message for compatibility with Splunk.
- Set up Intermapper to send syslog notifications to Splunk.
- Install the Intermapper App for Splunk.
Preparing Intermapper for use with Splunk
Before you can use Splunk with Intermapper, you have to set up Intermapper to allow Splunk to access it. The steps are as follows:
Step 1: Enable the Web server
Before you can use Splunk, you need to enable the Intermapper web server.
To enable the web server:
- From the Edit menu, choose Server Settings... The Server Settings window appears.
- In the left pane of the Server Settings window, click Web Server. The Web Server configuration panel appears.
- In the Web Server configuration panel, click Start.
Note: You can choose to run the web server on a different port, but will need to enter that port in the Splunk application when you set it up.
- Add an access control list entry to allow web server access by the Splunk host machine. Access is based on IP address.
- Add one or more access control list entries to allow web server access by any users of the Splunk application. Access is based on IP address or address range.
Step 2: Add a Splunk user
You need to add a user account to Intermapper that Splunk can use to log in to the Intermapper server.
To add a user:
- In the left pane of the Server Settings window, click Users. The Users panel appears.
- Click the + button and choose Add User... The User Information dialog appears.
- In the Name box, enter a user name for the Splunk Server.
- In the Automatic Login text box, enter the IP address of the Splunk server.
- Click OK. The Splunk Server user appears in the user list.
- Drag the Splunk Server user to the Administrators group. The Splunk Server user requires elevated privileges to export details about Intermapper maps.
Step 3: Add a syslog notifier for Splunk
Splunk acts as a syslog server. You need to create a syslog notifier that Intermapper can use to send syslog entries to Splunk.
To create a syslog notifier:
- From the Server Settings window, click Notifier List. The list of existing notifiers appears.
- Click the + button. The Configure Notifier window appears.
- Give the notifier a name, such as "SplunkLog".
- From the Notifier Type dropdown menu, choose Syslog.
- Enter the Splunk server's IP address in the Send syslog message to box.
- Click Edit Message, then edit the syslog message as follows:
Note: The message above must be on one line.
This format allows Splunk to extract syslog data and make it available in Splunk.
Step 4: Attach the notifier to all devices
Once you have created the Splunk notifier, you need to attach it to all devices in Intermapper.
To attach a notifier to all devices:
- From Intermapper's Window menu, choose Device List. The Device List window appears, showing a list of devices.
- Click the Notifier View button near the left end of the window's toolbar. A set of checkboxes appears for each device.
- From the dropdown menu just to the right of the View selection buttons, choose the Splunk syslog notifier you just created.
- For each state you want to record in Splunk, hold Alt and click a check box in the column for that state. All check boxes are selected.
- Recommended settings for Delay, Repeat time, and Count:
Delay = none
Repeat time = 5 minutes
Count = infinite
Hold Alt, click the dropdown menu for each column, then release the Alt key and choose the value from the dropdown menu. It is set for each device in the list.
- Set your Splunk notifier to be attached to new devices by default from the Default Notifiers panel of the Map Settings window.
- To send data to Splunk for only a single map, you can view devices in the map's Notifier View and attach only the devices in that map to the Splunk notifier.
Step 5: To send Layer 2 information
To send Layer 2 information to Splunk you must do the following:
- Set up Intermapper to collect Layer 2 information. See the Intermapper User Guide for more information.
- Add a device to any Intermapper map, and apply the Splunk Layer 2 CSV Output probe to it. If you are using Intermapper version 5.6.7 or newer, the probe is included with the built-in probes. Otherwise, use the information below to locate and upload the probe.
Note: One and only one device using this probe should exist on an Intermapper server. Running multiple instances of this probe uses Intermapper server resources unneccessarily, with no benefit to the Intermapper App for Splunk.
The probe is located in the Splunk install directory (%SPUNK_HOME%) at:
Probe file name: com.dartware.layer2
The probe sends switch port data in CSV format to Splunk; the data is then interpreted and indexed in Splunk.
Step 6: Get Notifications Into Splunk
Assuming a clear network route between Intermapper and Splunk, and that you are running Splunk as root, indexing of syslog data by Splunk begins nearly immediately.
To verify that Splunk is receiving Intermapper data:
- Do a search in Splunk on sourcetype=intermapper.
Step 7: Installing the Intermapper App for Splunk
The Intermapper App for Splunk automatically configures Splunk to receive and interpret syslog data from Intermapper.
In order for Splunk to present collected data in an Intermapper-specific way, you need to install the Intermapper App for Splunk.
To install the Intermapper App for Splunk:
- From Splunk's Apps menu (in the Web UI), choose Find More Apps... The Browse More Apps page appears.
- Enter "Intermapper" in the search box, and click the Search button or press Enter. The Intermapper App for Splunk appears.
- Click the Read More link. The description page for the Intermapper App for Splunk appears.
- Click Download, log into your Splunk account, and save the file in a location accessible to your browser.
- From the Web UI or your Splunk installation, choose Manage Apps... from the Apps menu. The Apps Manager page appears, showing all currently installed Splunk Apps.
- Click Install App from File. The Upload an App page appears.
- In the File box, click Browse, and navigate to the App file you downloaded._
- If you have installed a previous version, click to select Upgrade App.
- Click Upload. The app is installed. You will be asked to restart your Splunk server.
- Click OK_to restart your Splunk server.
- From the Apps menu, choose Intermapper. A configuration notice appears.
- Follow the links to the Configuration page.
- Enter the IP address and port of the Intermapper web server in the form "[address]:[port]", and the name of a default map, and click Save.
- After a few moments, the Intermapper page appears with the default map.