Splunk ISC Addon for audit

Identity Security Cloud (ISC) ISC Discussion and Questions
,
1

Hi,

Has any have an experience on Splunk ISC Addon for audit with Splunk Entreprise ? If yes, which type on installation areyou tested ?

We tested deployement with index, heavy forwader, etc. but they doesn’t work.

Any Suggestion would be appreciated.

2

@adam_creaney can you help us please ?

We follow all steps and install addon by using instance Search Head on Splunk Entreprise version.

But we did not see any data when performing searching, it’s always empty.

Which type of instance did you test ? in organization name field off addon configuration and data input configuration which value must be used (tenant /org name or full api url ) ?

3

After long hours of debugging, I was able to resolve the issue by performing the following actions:

  1. Removed the DATETIME_CONFIG parameter from the file “$SplunkHome/etc/apps/TA-sailpoint-identitynow-auditevent-add-on/default/props.conf”.

  2. Added the following elements to the file “etc/apps/TA-sailpoint-identitynow-auditevent-add-on/local/ta_sailpoint_identitynow_auditevent_add_on_settings.conf”:

[proxy]
proxy_password = NONE
proxy_type =

@colin_mckibben may be you can transfert this elements to your team who are developped this plugin may be they have an explanation.

1 Like
4

Thanks for your effort in finding the root cause @baoussounda!

Sailpoint team: we are on the Cloud version of Splunk so cannot use this workaround. Someone needs to update the add-on on your end. This is critical for us since we are missing auditable events.

@adam_creaney can you assist?

5

We were experiencing the same issue. Sailpoint support let us know that version 2.0.14 of the app was just released on 8/23/24 to fix this issue, and we can install it successfully on Splunk Enterprise but our Splunk Cloud environment is not showing any update available from 2.0.13. We tried fully uninstalling 2.0.13 and installing from Splunkbase (which shows 2.0.14 as compatible with Cloud) and it pulls down 2.0.13 again. Anyone else experiencing this issue? Has anyone else been able to install 2.0.14 on Splunk Cloud?

6

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.