Contents x
Polarity Source Analytics with Splunk
  • 24 Dec 2024
  • 2 Minutes to read
  • Print
  • Dark
    Light
Contents

Polarity Source Analytics with Splunk

  • Updated on 24 Dec 2024
  • 2 Minutes to read
  • Print
  • Dark
    Light
Article summary

The following guide walks through how to collect source analytic logs from your server using Splunk.

Enable Source Analytics

Prior to setting up collection of your source analytic (PSA) logs, please ensure that Polarity Source Analytics logging is enabled:

Configure Docker Logging for Splunk

Docker supports sending logs to Splunk via the Docker Splunk Logging driver. To configure the driver, you will need to make modifications to the /app/docker-compose.yml file.

The following logger options should be provided under services -> app:

    logging:
      driver: "splunk"
      options:
        splunk-url: "https://<SPLUNK_INSTANCE>:8088"
        splunk-insecureskipverify: "false"
        splunk-token: "<SPLUNK_HTTP_EVENT_COLLECTOR_TOKEN>"
        splunk-source: "polarity"
        splunk-index: "polarity"
        splunk-format: "raw"
        tag: ""

Logging Driver Options

  • splunk-url
    • Path to your Splunk Enterprise, self-service Splunk Cloud instance, or Splunk Cloud managed cluster (including port and scheme used by HTTP Event Collector) in one of the following formats: https://your_splunk_instance:8088, https://input-prd-p-XXXXXXX.cloud.splunk.com:8088, or https://http-inputs-XXXXXXXX.splunkcloud.com.
  • splunk-insecureskipverify
    • If you are running a self hosted Splunk instance with a self-signed certificate you may need to tell Docker to ignore self-signed certificate errors.   This option should default to "false".
  • splunk-token
    • Splunk HTTP Event Collector token used to authenticate to your Splunk instance.
  • splunk-source
    • Optional Event Source.  This can be set to polarity but other values can be used for your organization.
  • splunk-index
    • The event index to send telemetry data to.  This should be set to polarity or another index value specific to Polarity telemetry and logging data.
  • splunk-format
    • The message format for logs sent to Splunk.  This option must be set to raw.  The raw splunk-format ensures that Docker writes the logs exactly as they are produced by the server. 
Note

If you use the json format, the logs will be wrapped in JSON a second time and the actual telemetry data will become escaped JSON.

  • tag
    • Set the tag to an empty string ("").  Without this setting, Docker will prepend the default tag which is the container id. The prepended container id results in a log that is no longer valid JSON.

Restart Server

After making changes to the .env and docker-compose.yml you will need to restart the docker containers that run the server using the following command:

cd /app && ./down.sh && ./up.sh
Note on the Source Analytics Log Format

The Polarity Server v5 telemetry logs no longer include the property message="Integration Lookup" on telemetry logs.  If you were using this to filter out telemetry logs from other logs we recommend switching to msgType="integration-lookup".  

The msgType field is also set on v4 telemetry logs so using this property as a filter will identify all telemetry logs from both v4 and v5 servers.


Was this article helpful?
What's Next
Company
Sales and Support
Follow Us
© 2012–2024 ThreatConnect, Inc. All Rights Reserved.