The OTbase TA for Splunk supports two different types of modular inputs: One for general asset data, another for vulnerability (CVE) data.
Set up an account in OTbase Inventory
As a first step, you should set up a dedicated account for Splunk in OTbase Asset Center. Assuming that you want to transfer all asset data to Splunk (rather than just a subset, e.g. for a specific site), the respective user group should have read-only permission to the general asset inventory, but no other permissions.
Next, create a new user account and make the account member of "REST global read-only" (or any other user group name that you want to use for this purpose). For the username, select a name that you will later use for authentication on the Splunk side. In our example we used "splunk". Set a password for the account and klick on "Save".
If you want to test the account, open the link "hostname/ot-base/api/v1/devices" in your browser, where "hostname" is substituted with the hostname or IP address of the host where OTbase Assset Center is running. The browser should then prompt you to input user ID and password in a pop-up dialog. After having provided the correct credentials you should see asset data for the first hundred devices in JSON notation.
Enter account credentials for the OTbase TA
In Splunk, select the OTbase app and click on "Configuration" in the main menu. Select the "Account" tab and click "Add". In the following pop-up dialog, enter the credentials for the OTbase account. Note that you cannot use the "-" character in account names, so we used an underline in the following example. However, any account name is fine at this point.
Click on "Add" to save the information.
Configuring the assets modular input
Next, click on "Inputs" in the OTbase TA main menu and click "Create New Input". From the two choices that are presented, select "Assets". The following dialog will pop up:
The various fields have the following function:
Name
A name for the modular input. Pretty irrelevant. Choose whatever name you like, such as "Assets".
Interval
The time interval between REST queries to OTbase Inventory in seconds. For daily queries, use the value 86400.
Index
The index where the data shall be written to.
Global Account
Pick the account that you added in the preceding section.
Hostname
The host name or IP address of the host where OTbase Inventory is running.
Protocol
The protocol used to access OTbase Inventory -- either HTTPS or HTTP.
Location ID
You can limit the assets that are pulled from OTbase Inventory to a subset by specifying a location ID. In this case, only assets from that location and its sub-locations will be pulled. This is sometimes advantageous for test purposes when you don't want to pull the full data set with let's say hundreds of thousands of assets. If it's for testing, don't forget to delete any events before going to production use.
Force Start Time
This switch is only used for special situations where you deleted all your asset events and want to re-populate the database. The "Force Start Time" switch then tells the OTbase TA that it shall ignore the internal timestamp of last pull that it maintains. Data is then pulled starting from the date that is specified in the next field. Important: Reset this field after your import run is complete.
Start Time
A date that shall be used as a starting time since when assets shall be pulled. For example, if you specify "2020-06-01", assets in OTbase Inventory that have not been modified before June 1, 2020 will not be exported. The "Start Time" field is usually only used in conjunction with the "Force Start Time" field.
Configuring the vulnerabilities modular input
In the OTbase TA main menu, click "Create New Input". From the two choices that are presented, select "Vulnerabilities". The following dialog will pop up:
The various fields have the following function:
Name
A name for the modular input. Pretty irrelevant. Choose whatever name you like, such as "Assets".
Interval
The time interval between REST queries to OTbase Inventory in seconds. For daily queries, use the value 86400. Unlike the assets modular input, the vulnerabilities input creates events every time that it executes, so you will end up with a lot of events.
Index
The index where the data shall be written to.
Global Account
Pick the account that you added earlier.
Hostname
The host name or IP address of the host where OTbase Inventory is running.
Protocol
The protocol used to access OTbase Inventory -- either HTTPS or HTTP.
Testing your inputs
After you have configured everything correctly and have enabled your inputs, you will see events coming in. The easiest way to check if everything is in order is to use the Devices and Vulnerabilities dashboards that are part of the OTbase App; you can select them in the main menu.
Comments
0 comments
Please sign in to leave a comment.