Remote Logging Service (Splunk use in CoE)

Information Security at Michigan Engineering/Remote Logging Service (Splunk use in CoE)

Introduction

Certain University sensitive data are required to use remote central logging.  Departments and units that have this requirement can utilize the central logging service operated by ITS Information Assurance (IA) called Splunk.  A Splunk forwarder has to be installed on the system.  Splunk is a paid for and limited resource, therefore IA has asked that only systems that meet certain sensitive data requirements may use it.

The requirements are:

  • Systems must be owned by the University
  • Systems must have Moderate or High security classification or other specific need for Splunk
  • Systems will need to be registered with IA for Splunk use (I.e. the systems need to be added to the Splunk system so that they will receive the correct configuration from Splunk)

Use the following procedure depending on what type of system you are using:

For Those Systems Running the Engineering Base Desktop (EBD) 

If you wish to deploy the Splunk forwarder, you should first contact [email protected] for the required Security Unit Liaison (SUL) approval.  Please include the following information for each host to receive Splunk:

  • Hostname
  • Department
  • Why this system needs Splunk
  • Whether this system is running the EBD

You will be informed as to whether your request has been approved.  After your request has been approved CAEN will install the software remotely, however you will have to reboot the system(s) in question in order to complete the installation.

For Those Systems Not Running the Engineering Base Desktop (EBD)

If you wish to deploy the Splunk forwarder, you should first contact [email protected] for the required Security Unit Liaison (SUL) approval.  Please include the following information for each host to receive Splunk:

  • Hostname
  • Department
  • Why this system needs Splunk.

You will be informed as to whether your request has been approved.  After your request has been approved you will be given information on deploying the Splunk forwarder.

Additional Information References

CoE Index Names Currently Registered with ITS:

index=engin_*

  • engin_eecs
  • engin_ioe
  • engin_caen
  • engin_me — no longer used, info is historical

Splunk agent installation information on IA site – need permissions

Github site with Sysmon information including configuration files (olaf).