Splunk Addon for Oracle Cloud Infrastructure (OCI)

Overview

Details

A security information and event management (SIEM) system is a critical operations tool to manage the security of your cloud resources. Oracle Cloud Infrastructure (OCI) includes native threat detection, prevention, and response capabilities, which you can leverage to implement an efficient SIEM system using Splunk.

Splunk Enterprise administrators can use the Logging and Streaming services with the Logging Addon for Splunk, to stream logs from resources in the cloud to an existing or new Splunk environment. Administrators can also integrate with other Splunk plugins and data sources, such as threat intelligence feeds, to augment the generation of alerts based on log data.

OCI Logging Plugin for Splunk Architecture

OCI Configuration

Step 1: Create a Stream

OCI Stream Setup
Refer the screenshot and the points listed below to to create a stream for log data to be written to for Splunk to collect from.

Open the navigation menu. Under Analytics, click Streaming.
Click Create Stream.
Next, select Stream Pool or create a new one.
Fill in the Stream Name field with a friendly name for your stream such as SIEMLogStream
Provide a Retention time to meet your needs.
Provide a Number of Partitions, Total Write Rate, and Total Read Rate based on the amount of data you need to process.

Step 2 (Optional): Enable a Service ex. VCN Flow Log

In this step, You will create a log group and configure an example log using Virtual Cloud Network (VCN) Flow Logs.
Log Resource Setup
Refer the screenshot and the points listed below to complete Step 1.

Open the navigation menu on Oracle Cloud Infrastructure (OCI) console. Under Solutions and Platform, go to Logging, and click on Log Groups.
Click Create Log Group
1. Choose the Compartment where you want to create log group
2. Choose a Name and Description that can properly identify your log group
Click Create
Next click Logs. The Logs page is displayed.
Click Enable Service Log. The Enable Resource Log panel is displayed.
Under Select Resource, under Resource Compartment, choose a compartment you have permission to work in.
Select a service from the Service. For example: Virtual Cloud Network (subnet)
Select a resource:
1. Under Resource, select a subnet.
Configure the log:
1. In Log Category select a log category to specify the type of log to create. For this example, you will select Flow Logs (All records)
In Log Name, type a name for the log. For this example, name it as test-flowlog.
Click Enable Log.

Step 3: Create a Service Connector in OCI Logging

Refer the screenshot and the points listed below to complete Step 3 to create a Service Connector in OCI Logging.
Service Connector Setup
1. Open the navigation menu. Under Logging, click Service Connectors.
1. Choose the Compartment where you want to create the service connector.
1. Click Create Connector.
1. On the Create Service Connector page, fill in the settings as noted below:
1. Connector Name: User-friendly name for the new service connector.
1. Description: Optional identifier.
1. Resource Compartment: The compartment where you want to store the new service connector.
1. Configure Service Connector:
1. Select Source: Logging
1. Select Target: Streaming
1. Under configure source connection(_Audit Logs):
1. Compartment: Select the (root) compartment
1. Log Group: Select _Audit
1. Check: Include _Audit in subcompartments to collect all compartment logs
1. Under configure source connection(Service Log):
1. Click ++Another Log
1. Compartment: Select the compartment that contains your log group.
1. Log Group: Select the log group created in step 1.
1. Leave Blank to collect all Logs in the Log Group
1. Logs: Select the log created in step 1 to collect the single service log.
1. Under configure target connection:
1. Compartment: Select the compartment that contains your stream.
1. Stream: Select the stream created in step 2.

If you do not have an inclusive IAM policy, you will see the following message:
1. Create default policy allowing this service connector to write to Streaming in compartment
2. To resolve this, click the Create button to the right, and it will automatically create a policy for you.
To finish the creation click the Create button on the left.

Step 4: Access control

The logging addon for Splunk supports access both by instance principals and using API signing keys. Oracle recommends using an instance principal, to avoid storing long-lived tokens. If you're not using an instance principal, use an API signing key.
Depending on the access method that you choose, define a least-privilege policy as shown in the following examples:

If you choose the instance-principal access method:
1. Create a Dynamic Group with with the Splunk Instance: https://docs.oracle.com/en-us/iaas/Content/Identity/Tasks/managingdynamicgroups.htm
2. Create an OCI IAM policy like the below
  Allow dynamic-group <Splunk_Dynamic_Group> to use stream-pull in compartment <compartment_of_stream>
If you choose the API signing key method:
1. Create a OCI User: https://docs.oracle.com/en-us/iaas/Content/Identity/Tasks/managingusers.htm
2. Create an OCI Group and add the above user to the group: https://docs.oracle.com/en-us/iaas/Content/Identity/Tasks/managinggroups.htm
3. Create an API Key: https://docs.oracle.com/en-us/iaas/Content/API/Concepts/apisigningkey.htm
  1. If via CLI, add the API Public Key to user: https://docs.oracle.com/en-us/iaas/Content/Identity/Tasks/managingcredentials.htm
4. Create an OCI IAM policy like the below:
  
  Allow group <Splunk_User_Group> to use stream-pull in compartment <compartment_of_stream>

Release Notes

Version 2.3.3

June 6, 2023

-Removed packages not called by primary script
-Reorganized file structure

Version 1.1.0

Jan. 4, 2021

Added the capability to use multiple workers to use consumer groups.
Deprecated the manual selection of partition number.
Added the ability to use an encrypted PEM file.
Enhanced logging and debugging.

1,915

Downloads

Share Subscribe

Version

Built by

Splunk Works

Support

Not Supported

Questions on Splunk Answers Flag as inappropriate

App Contents: Inputs

Compatibility

Products: Splunk Enterprise

Splunk Versions: 9.2, 9.1, 9.0, 8.2, 8.1, 8.0

Platform: Platform Independent

CIM Versions: 3.x

Splunk Versions: 9.2, 9.1, 9.0, 8.2, 8.1, 8.0

Platform: Platform Independent

Licensing

Third Party Developer EULA

Category & Contents

Categories: IT Operations, Security, Fraud & Compliance

App Type: Add-on

Source Code: The Splunk Add-on for Oracle Cloud Infrastructure

Subscribe Share

My Account

Support & Services