FlowTraq for Splunk is the bridge between Splunk’s powerful event correlation and FlowTraq’s full-fidelity flow-based traffic analysis. This page will step you through the process of going from zero to sixty: Getting up and running with a very effective network security software combo.
The FlowTraq for Splunk App allows Splunk users to perform FlowTraq flow searches within Splunk, to correlate Splunk events and flow data side-by-side, and to launch pre-populated FlowTraq queries — all in just a few clicks, accessible from anywhere in Splunk. This represents drill-down capability at a remarkable scale, all the way from high-level security events from Intrusion Detection Systems (IDS) down through historical graphs, top-N summaries, and raw flow data.
Although the FlowTraq for Splunk App has special features to support the investigation of FlowTraq Network Behavioral Intelligence (NBI) events, it can also be used to investigate and examine the network traffic context of any Splunk event. All logs and traffic records relating to any IP address can quickly be viewed and correlated together.
FlowTraq for Splunk is platform-independent — anywhere Splunk runs, FlowTraq for Splunk runs! It accomplishes this through use of the FlowTraq Web API, so that all your network data resides in FlowTraq and is only accessed via external HTTP or HTTPS requests when you need it. That means full-forensic network session access without needing to import millions of session records into Splunk, making it much easier to optimize your data collection.
If you are not yet running FlowTraq, or wish to use a dedicated FlowTraq server for this task: the easiest, and recommended, procedure for installing FlowTraq is to deploy the virtual appliance (vApp).
If you already have FlowTraq running on your network, but are not using the Web interface, the vApp can be deployed and run in pass-through mode. This mode hosts a fully-configured Web interface, plus FlowTraq Network Behavioral Intelligence (NBI), with minimum hassle: load it, provide the IP address of your FlowTraq server, and connect via HTTP or HTTPS. No additional licenses are required.
If you are already running FlowTraq and FlowTraq Web, ensure that you have upgraded at least to Q1/14.
In all cases, we recommend creating a non-admin user named ‘splunk’ for use by the FlowTraq for Splunk App. This allows you to add data access controls and configure view settings for use with Splunk, for example to show only data from border routers or specific sites.
Alternately, you can opt for FlowTraq Cloud. Sign up, configure your flow export, and make a note of your credentials — you will need them to setup FlowTraq for Splunk later.
Next: download and deploy Splunk. You will need admin permissions in Splunk to install the FlowTraq for Splunk App; to upload the App and to restart Splunk to finish the configuration.
Users with enterprise FlowTraq deployments have access to FlowTraq NBI, which can export alerts to your Splunk install via syslog messages.
Before proceeding, you will need the following information:
a. Download the FlowTraq for Splunk installation package (an SPL file).
b. Log into Splunk with admin privileges, and select “Manage Apps” under the Apps menu.
c. On the Apps page, select “Install app from file”. On the installation page, choose the FlowTraqForSplunk.spl file downloaded in step a.
d. Enter the configuration information requested, which you collected above. Test the URL for the Web GUI root before selecting ‘Save’.
e. Restart Splunk.
The FlowTraq for Splunk App should now be installed to your dashboard, and its workflow actions will be accessible in other Apps including the main Search.
FlowTraq for Splunk does not import flow data into Splunk, but instead retrieves information on demand from your FlowTraq server via HTTP or HTTPS. This allows you to make use of the strengths of both products without duplicating your data stores or encumbering your Splunk install with millions of flow records, while still retaining full-fidelity access to your network session history.
Users of FlowTraq NBI can configure those tools to export syslog to Splunk; these events will be treated like any other in terms of data retention and full access by Splunk’s event analysis tools. FlowTraq for Splunk offers additional search and drill-down capabilities for these events via workflow actions. Select a FlowTraq NBI alert in your Splunk Search App, expand the alert view to see the “Event Actions” menu, and see multiple options to investigate various aspects of that alert in the FlowTraq for Splunk dashboard. From there, if further investigation or drill-down is warranted, your full FlowTraq interface is just a click away.
Note FlowTraq for Splunk 0.6 (or later) is required for versions of Splunk released after 6.1. After upgrading the FlowTraq for Splunk app, users seeing a jQuery error popup should clear their browser caches and reload.
For support, feedback, or any other assistance, please contact us.