Is there a way to install SailPoint ISC addon for Splunk, on a Splunk Universal Forwarder?
This is not mentioned in the official page of then addon:
- What have you tried?
-
I attempted to install on a Single (non-distributed) Splunk Enterprise 9.4.
This works fine. -
I attempted to add Splunk Universal Forward to Splunk Enterprise (status ok). Then from Forwarder Management → Server Class Detail → Assigned Applications but it does not have SailPoint addon to be assigned to target Splunk UF.
This is expected as per documents:
About installing Splunk add-ons - Splunk Documentation -
Since Splunk UF do not have UI for install via Splunk Base. Download .tgz addon from Splunk Base, extract on Splunk UF and put on {Splunk director}\etc\apps.
Then I manual configured inputs.conf and ta_sailpoint_identitynow_auditevent_add_on_settings.conf as follow
local/inputs.conf
[sailpoint_identitynow_auditevent://SailPoint]
interval = 300
organization_name =
client_id =
client_secret =
disabled = 0
local/ta_sailpoint_identitynow_auditevent_add_on_settings.conf
[additional_parameters]
client_id = <redact>
client_secret = <redact>
organization_name = <redact>
[logging]
loglevel = INFO
then ./splunk restart
(status ok, no error of addon configure)
nothing come through. I cannot be sure but I do not see there is no log of the addon in splunk/log folder so suspect addon did not even initiate the API call.
Ref Install an add-on in a distributed Splunk Enterprise deployment - Splunk Documentation
Any suggestion whether installation on UF is possible, if so what else need to complete the proper installtion? In the actual deployment it is Splunk Enterprise distributed using UF.