Using InterMapper With Splunk

InterMapper works with Splunk by sending syslog entries in a specific format when an InterMapper device changes state. An add-on application in Splunk allows you to analyze and view various events through an InterMapper-specific dashboard.

Use the information below to connect InterMapper to Splunk.

System Requirements

To use Splunk with InterMapper, you need:

Installation Overview

In order to use Splunk and InterMapper together, you need to do the following:

  1. Prepare InterMapper. This includes enabling the Web server, adding a syslog notifier for Splunk, and setting the syslog message for compatibility with Splunk.
  2. Set up InterMapper to send syslog notifications to Splunk.
  3. Install the InterMapper App for Splunk.

 Preparing InterMapper for use with Splunk

Before you can use Splunk with InterMapper, you have to set up InterMapper to allow Splunk to access it. The steps are as follows:

Step 1: Enable the Web server

Before you can use Splunk, you need to enable the InterMapper web server.

To enable the web server:

  1. From the Edit menu, choose Server Settings... The Server Settings window appears.
  2. In the left pane of the Server Settings window, click Web Server. The Web Server configuration panel appears.
  3. In the Web Server configuration panel, click Start.
    Note: You can choose to run the web server on a different port, but will need to enter that port in the Splunk application when you set it up.
  4. Add an access control list entry to allow web server access by the Splunk host machine. Access is based on IP address.
  5. Add one or more access control list entries to allow web server access by any users of the Splunk application. Access is based on IP address or address range.

Step 2: Add a Splunk user

You need to add a user account to InterMapper that Splunk can use to log in to the InterMapper server.

To add a user:

  1. In the left pane of the Server Settings window, click Users. The Users panel appears.
  2. Click the + button and choose Add User... The User Information dialog appears.
  3. In the Name box, enter a user name for the Splunk Server.
  4. In the Automatic Login text box, enter the IP address of the Splunk server.
  5. Click OK. The Splunk Server user appears in the user list.
  6. Drag the Splunk Server user to the Administrators group. The Splunk Server user requires elevated privileges to export details about InterMapper maps.

Step 3: Add a syslog notifier for Splunk

Splunk acts as a syslog server. You need to create a syslog notifier that InterMapper can use to send syslog entries to Splunk.

To create a syslog notifier:

  1. From the Server Settings window, click Notifier List. The list of existing notifiers appears.
  2. Click the + button. The Configure Notifier window appears.
  3. Give the notifier a name, such as "SplunkLog".
  4. From the Notifier Type dropdown menu, choose Syslog.
  5. Enter the Splunk server's IP address in the Send syslog message to box.
  6. Click Edit Message, then edit the syslog message as follows:
timestamp="<Timestamp>"  map_name="<Document Name>"  notification_level="<Event>"  device_host="<Device Name>"  device_ip="<Device Address>"  probe_type="<Probe Type>"  probe_message="<Device Condition>"

Note: The message above must be on one line.

This format allows Splunk to extract syslog data and make it available in Splunk.

Step 4: Attach the notifier to all devices

Once you have created the Splunk notifier, you need to attach it to all devices in InterMapper.

To attach a notifier to all devices:

  1. From InterMapper's Window menu, choose Device List. The Device List window appears, showing a list of devices.
  2. Click the Notifier View button near the left end of the window's toolbar. A set of checkboxes appears for each device.
  3. From the dropdown menu just to the right of the View selection buttons, choose the Splunk syslog notifier you just created.
  4. For each state you want to record in Splunk, hold Alt and click a check box in the column for that state. All check boxes are selected.
  5. Recommended settings for Delay, Repeat time, and Count:

    Delay = none
    Repeat time = 5 minutes
    Count = infinite

    Hold Alt, click the dropdown menu for each column, then release the Alt key and choose the value from the dropdown menu. It is set for each device in the list.

Notes:

Step 5: To send Layer 2 information

To send Layer 2 information to Splunk you must do the following:

The probe is located in the Splunk install directory (%SPUNK_HOME%) at:

%SPLUNK_HOME%\etc\apps\InterMapper\default

Probe file name: com.dartware.layer2

The probe sends switch port data in CSV format to Splunk; the data is then interpreted and indexed in Splunk.

Step 6: Get Notifications Into Splunk

Assuming a clear network route between InterMapper and Splunk, and that you are running Splunk as root, indexing of syslog data by Splunk begins nearly immediately.

To verify that Splunk is receiving InterMapper data:

Step 7: Installing the InterMapper App for Splunk

The InterMapper App for Splunk automatically configures Splunk to receive and interpret syslog data from InterMapper.

In order for Splunk to present collected data in an InterMapper-specific way, you need to install the InterMapper App for Splunk.

To install the InterMapper App for Splunk:

  1. From Splunk's Apps menu (in the Web UI), choose Find More Apps... The Browse More Apps page appears.
  2. Enter "InterMapper" in the search box, and click the Search button or press Enter. The InterMapper App for Splunk appears.
  3. Click the Read More link. The description page for the InterMapper App for Splunk appears.
  4. Click Download, log into your Splunk account, and save the file in a location accessible to your browser.
  5. From the Web UI or your Splunk installation, choose Manage Apps... from the Apps menu. The Apps Manager page appears, showing all currently installed Splunk Apps.
  6. Click Install App from File. The Upload an App page appears.
  7. In the File box, click Browse, and navigate to the App file you downloaded. 
  8. If you have installed a previous version, click to select Upgrade App.
  9. Click Upload. The app is installed. You will be asked to restart your Splunk server.
  10. Click OK to restart your Splunk server.
  11. From the Apps menu, choose InterMapper. A configuration notice appears.
  12. Follow the links to the Configuration page.
  13. Enter the IP address and port of the InterMapper web server in the form "[address]:[port]", and the name of a default map, and click Save.
  14. After a few moments, the InterMapper page appears with the default map.