diff --git a/README.md b/README.md index 1e4fdf7..c15f32b 100644 --- a/README.md +++ b/README.md @@ -1,11 +1,11 @@ -# BigFix Add-on for Splunk -The BigFix Add-on for Splunk can be used to configure Splunk to ingest BigFix client, relay, and server logs. It also contains multiple modular inputs to query the REST API of a BigFix core server. +# HCL BigFix Add-on for Splunk +The HCL BigFix Add-on for Splunk can be used to configure Splunk to ingest BigFix client, relay, and server logs. It also contains multiple modular inputs to query the REST API of a BigFix core server. # Compatability -The BigFix Add-on for Splunk is Python2 and Python3 compatible so it will run on Splunk Enterprise 7.x and 8.x. +The HCL BigFix Add-on for Splunk is Python2 and Python3 compatible so it will run on Splunk Enterprise 7.x and 8.x. # Installation -The BigFix Add-on for Splunk should be installed on: +The HCL BigFix Add-on for Splunk should be installed on: - Search Heads - The add-on contains field extractions for flat logs as well as formatting for the REST input for assets - Indexers - The add-on contains props.conf and transforms.conf configurations for properly ingesting logs for BigFix clients, relays, and server logs. NOTE: Not all available BigFix logs have been added to the add-on. As development progresses, more logs will be added to the add-on for proper ingestion. @@ -30,26 +30,26 @@ Configure the account and server information for the BigFix deployment by doing - Click the "Inputs" tab and click the "Create New Input" dropdown to configure the modular REST API inputs. # Sourcetypes -The BigFix Add-on for Splunk uses the following sourcetype format along with the log they currently support: +The HCL BigFix Add-on for Splunk uses the following sourcetype format along with the log they currently support: Sourcetype | BigFix Component - --- | --- + --- | --- bigfix:client:log | BigFix Clients -bigfix:relay:log | BigFix Relays -bigfix:server:log | BigFix Server Core -bigfix:server:audit:log | BigFix Server Audit -bigfix:filldb:log | BigFix FillDB -bigfix:gather:log | BigFix GatherDB -bigfix:webrepoprt:log | BigFix Web Reports -bigfix:ape:mfs:log | BigFix Server Automation Core -bigfix:ape:notifier:app:log | BigFix Server Automation Notification Service app +bigfix:relay:log | BigFix Relays +bigfix:server:log | BigFix Server Core +bigfix:server:audit:log | BigFix Server Audit +bigfix:filldb:log | BigFix FillDB +bigfix:gather:log | BigFix GatherDB +bigfix:webrepoprt:log | BigFix Web Reports +bigfix:ape:mfs:log | BigFix Server Automation Core +bigfix:ape:notifier:app:log | BigFix Server Automation Notification Service app bigfix:ape:notifier:monitor:log | BigFix Server Automation Notification Service monitor -bigfix:ape:notifier:service:log | BigFix Server Automation Notification Service status -bigfix:ape:plan:engine:log | BigFix Server Automation Plan Engine -bigfix:compliance:import:log | BigFix Compliance Import Log +bigfix:ape:notifier:service:log | BigFix Server Automation Notification Service status +bigfix:ape:plan:engine:log | BigFix Server Automation Plan Engine +bigfix:compliance:import:log | BigFix Compliance Import Log Modular Inputs | Sourcetype | BigFix Component ---- | --- | --- +--- | --- | --- BigFix Clients | bigfix:clients | BigFix client list export using REST (Requires "BES Component Versions" analysis of "BES Support" site to be activated) BigFix Actions | bigfix:action | BigFix action status export using REST BigFix Analysis | bigfix:analysis | BigFix analysis result export using REST @@ -59,14 +59,14 @@ BigFix Available Fixlets | bigfix:fixlets:available | BigFix available fixlet ex BigFix Relevant Fixlets | bigfix:fixlets:relevant | BigFix relevant fixlet export using REST # BigFix Inputs Using Batching -The improve the scalability of the BigFix Add-on for Splunk, the inputs have been rewritten to allow for batch-adding the data. This is done by looping through based on modulation of a specific integer of the results of the relevance query. It basically increments and brings in different results based on however many batches you're looking to run the ingestion on. +The improve the scalability of the HCL BigFix Add-on for Splunk, the inputs have been rewritten to allow for batch-adding the data. This is done by looping through based on modulation of a specific integer of the results of the relevance query. It basically increments and brings in different results based on however many batches you're looking to run the ingestion on. The right modulous depends on the size of the environment. Lower client counts means less cardinality of events where you are less likely to have over 100,000 results for a single query using the inputs. As the number of results begins to exponentially grow, your modulous should grow as well. I would recommend that for every 10,000 potential results you have, you increase your modulous by 10. This means if you are collecting BigFix Action results and an action has gone out to 10,000 machines, your modulous input should use be a batch of **10**. Feel free to experiment and I encourage anyone who knows maths way better than me to report back with what would be a good ratio. # BigFix Clients Input -The BigFix Add-on for Splunk contains a configurable REST input for collecting client information from a BigFix deployment. The REST query should return results, even from environments with a large number of clients, in a reasonable amount of time. This requires the coordination with the administrator of BigFix because the field containing the MAC address is not a default property inside of an out-of-the-box BigFix deployment. +The HCL BigFix Add-on for Splunk contains a configurable REST input for collecting client information from a BigFix deployment. The REST query should return results, even from environments with a large number of clients, in a reasonable amount of time. This requires the coordination with the administrator of BigFix because the field containing the MAC address is not a default property inside of an out-of-the-box BigFix deployment. Some notes on further requirements for this input: - A property the BigFix administrator knows will need to be identified which details a list of MAC addresses for each host. This property will need to be configured with the input. If there is a not a currently configured property, the BigFix administrator may use the relevance below to evaluate the property. @@ -80,7 +80,7 @@ If the MAC addresses of the clients are not being evaluated, you can use the fol Once the property is configured in BigFix, you can configure the property name when you configure the input. # BigFix Analysis Input -The BigFix Add-on for Splunk contains a configurable REST input for ingesting the results of a specificed analysis within BigFix. This will require the display name of the analysis being imported. Once congfigured, the results are ingested per property result per host in a single event so multiple properties within a single analysis can be identified and evaluated once the events are ingested. This will also break multi-value results into their own events with the same property name. +The HCL BigFix Add-on for Splunk contains a configurable REST input for ingesting the results of a specificed analysis within BigFix. This will require the display name of the analysis being imported. Once congfigured, the results are ingested per property result per host in a single event so multiple properties within a single analysis can be identified and evaluated once the events are ingested. This will also break multi-value results into their own events with the same property name. To configure a specific analysis for ingestion, your BigFix administrator will need to provide the integer ID of the analysis as well as the site that analysis exists under. Once you configure those values, your analysis will be ingested. diff --git a/default/app.conf b/default/app.conf index 32ce11e..d462aaf 100644 --- a/default/app.conf +++ b/default/app.conf @@ -13,7 +13,7 @@ description = Technical add-on for ingesting data from HCL BigFix into Splunk [ui] is_visible = 1 -label = BigFix TA +label = HCL BigFix Add-on for Splunk docs_section_override = AddOns:released [package] @@ -24,4 +24,3 @@ reload.addon_builder = simple reload.ta_bigfix_account = simple reload.ta_bigfix_settings = simple reload.passwords = simple -