Citrix Application Delivery Management service

Integration with Splunk

You can now integrate Citrix ADM with Splunk to view analytics for WAF, Bot, and behavior-based violations in your Splunk dashboard. Splunk add-on enables you to:

  • Combine all other external data sources.

  • Provide greater visibility of analytics in a centralized place.

Citrix ADM collects Bot, WAF, behavior-based events, and sends to Splunk periodically. The Splunk Common Information Model (CIM) add-on converts the events to CIM compatible data. As an administrator, using the CIM compatible data, you can view the WAF, Bot, and behavior-based violations in the Splunk dashboard.

Prerequisites

For Splunk integration, you must:

Set up the global setting

  1. Log on to Splunk.

  2. Navigate to Settings > Data Inputs > HTTP event collector. The HTTP event collector page is displayed.

  3. Click Global Settings.

    Global settings

  4. Specify the following parameters and click Save.

    Edit global setting

    Note

    By default, the HTTP Port Number indicates the default port. If you have any other preferred port number, you can specify the required port number.

Set up the HTTP Event Collector endpoint in Splunk

  1. Log on to Splunk.

  2. Navigate to Settings > Data Inputs > HTTP event collector. The HTTP event collector page is displayed.

  3. Click New Token.

    New token

  4. Specify the following:

    1. Name: Specify a name of your choice.

    2. Source name override (optional): If you set a value, it overrides the source value for HTTP event collector.

    3. Description (optional): Specify a description.

    4. Output Group (optional): By default, this option is selected as None.

    5. Enable indexer acknowledgement: By default, this option is not selected.

      Event collector parameters

    6. Click Next

    7. In the Input Settings page, specify the Source Type, App context, Index, and then click Review.

    8. Review if everything you have specified is correct and then click Submit A token gets generated. You must use this token when you add details in Citrix ADM.

      Splunk token

Install the Splunk Common Information Model

In Splunk, you must install the Splunk CIM to ensure that the data are populated in the dashboard.

  1. Log on to Splunk.

  2. Navigate to Apps > Find More Apps.

    Splunk find more apps

  3. Type CIM in the search bar and press Enter to get the Splunk Common Information Model (CIM) add-on, and click Install.

    Splunk CIM

Install the Citrix CIM normalizer

After you install the Splunk CIM, you must install the Citrix CIM normalizer to transform the events into the Splunk CIM.

  1. Log on to Citrix downloads page and download the Citrix CIM add-on for Splunk.

  2. In the Splunk portal, navigate to Apps > Manage Apps.

    Splunk manage apps

  3. Click Install App from file.

    Splunk install app

  4. Upload the .spl or .tgz file and click Upload.

    Upload file

    You receive a notification message on the Apps page that the add-on is installed.

Add the Splunk HTTP collector and token details

After you generate a token, you must add details in Citrix ADM to integrate with Splunk.

  1. Log on to Citrix ADM.

  2. Navigate to Settings > Ecosystem Integration.

    The Create Subscription page is displayed.

  3. In the Select features to subscribe tab enables you to select the features that you want to export and click Next.

    • Realtime Export - The selected violations are exported to Splunk immediately.

    • Periodic Export - The selected violations are exported to Splunk based on the duration you select.

      Select features

  4. In the Specify export configuration tab:

    1. End Point Type – Select Splunk from the list.

    2. End Point – Specify the Splunk end point details. The end point must be in the https://SPLUNK_PUBLIC_IP:SPLUNK_HEC_PORT/services/collector/event format.

      Note

      It is recommended to use HTTPS for security reasons.

      • SPLUNK_PUBLIC_IP – A valid IP address configured for Splunk.

      • SPLUNK_HEC_PORT – Denotes the port number that you have specified during the HTTP event endpoint configuration. The default port number is 8088.

      • Services/collector/event – Denotes the path for the HEC application.

    3. Authentication token – Copy and paste the authentication token from the Splunk page.

    4. Click Next.

      Create subscription

  5. In the Subscribe page:

    1. Export Frequency – Select Daily or Hourly from the list. Based on the selection, Citrix ADM exports the details to Splunk.

      Note

      Applicable only if you have selected violations in Periodic Export.

    2. Subscription Name – Specify a name of your choice.

    3. Click Submit.

      Subscribe

      Note

      • When you configure with Periodic Export option for the first time, the selected features data get pushed to Splunk immediately. The next export frequency happens based on your selection (daily or hourly).

      • When you configure with Realtime Export option for the first time, the selected features data pushed to Splunk immediately as soon as the violations are detected in Citrix ADM.

Verify details in Splunk

After you add details in Citrix ADM, you can verify if Splunk receives the events.

  1. From the Splunk home page, click Search & Reporting.

    Splunk search and reporting

  2. In the search bar, type the details in the search bar, select the duration from the list, and click the search icon or press Enter. For example, you can type sourcetype=”bot” or sourcetype=”waf” or sourcetype="ml" to check the details.

    Splunk search example

    The following search result is an example for a WAF violation:

    Splunk WAF events

    The following search result is an example for a Bot violation:

    Splunk bot events

    The following search result is an example for the behavior-based violations:

    Splunk ML events

Access Pivot details

You must identify the Data Model type to see the pivot details. For example, the Splunk add-on converts the WAF, Bot, and behavior-based events in CIM format, with the closest data model type such as Alert and Intrusion Detection.

To access the events in Splunk:

  1. Navigate to Settings > Data Models.

  2. Identify the Intrusion Detection data model and click Pivot.

    Splunk pivot

  3. Select a Dataset. In the following example, the IDS Attacks option is selected.

    Splunk dataset

    The total count of IDS Attacks is displayed.

    IDS attacks

    You can also click the + button to add more details to the table. The following example displays the details based on severity, category, and signature ID:

    More details

Splunk dashboard

Using a dashboard, you can view details of WAF, Bot, and behavior-based violation analytics with panels such as charts, tables, lists, and so on. You can configure:

  • Dashboard with applications that use the CIM compatible data.

  • Custom dashboard that pulls data from the CIM data models.

Depending upon your choice, you can create the dashboard. For more information, see the About dashboard section in Splunk documentation.

Integration with Splunk