Splunk settings
Splunk
settingsNote Regarding Syslog Over SSL
Sending data over encrypted protocols is recommended, when possible.
Cylance
and Splunk
can communicate syslog data using plain-text and over SSL. For more information about how to configure forwarding, see the Splunk
documentation at: https://docs.splunk.com/Documentation/Splunk/6.6.1/Security/ConfigureSplunkforwardingtousesignedcertificatesTo see instructions that work in
BlackBerry
’s development environment, please see Appendix: configure Syslog over SSL in Splunk in Appendix A.Unencrypted syslog input is not recommended; however, for troubleshooting purposes, it can be enabled on a port other than 6514. You can enable Syslog in
Splunk
Web in Settings > Data Inputs > Local Inputs > TCP
. Enable TCP Port 6515.Note on Multi-Tenant Configurations and Syslog
Each tenant will require its own stanza in inputs.conf, and each tenant requires its own port. For example, if there are two tenants, CompanyOne and CompanyTwo, inputs.conf should contain.
[tcp-ssl://6514] disabled = false sourcetype = syslog_protect source = CompanyOne index = cylance_protect
[tcp-ssl://6515] disabled = false sourcetype = syslog_protect source = CompanyTwo index = cylance_protect