Perform the following procedure to install the Splunk App for Carbon Black App Control on the Carbon Black App Control Server.

Prerequisites

Before you perform this procedure, install the Splunk Forwarder on the Carbon Black App Control Server. See Install the Splunk Forwarder on the Carbon Black App Control Server.

Procedure

  1. Search for and download the Splunk App for Carbon Black App Control from the Splunk apps website: https://splunkbase.splunk.com.
  2. Copy the downloaded file. For example: cb-protection-app-for-splunk_20.tar.gz to the \etc\apps subdirectory under the Splunk Forwarder installation directory. For example, if you are running a 64-bit OS on the Carbon Black App Control Server, copy the file to C:\Program Files\SplunkUniversalForwarder\etc\apps\.
    Note: Numbers at the end of the file name vary with app version changes.
  3. Unzip and untar the file.
  4. Go into the bit9-secapp directory and create a new directory named local.
  5. Copy default\inputs.conf into the local directory.
  6. Edit the first line of local\inputs.conf to point to the location of the Export Directory configured on the System Configuration/External Analytics page of the Carbon Black App Control Console, and save the file. For example, if the Export Directory on the Carbon Black App Control Server is D:\Bit9\LogFiles, change the first line of inputs.conf to [monitor://D:\Bit9\LogFiles\*.bt9].
  7. At a command prompt, restart the Splunk Forwarder:
    cd \Program Files\SplunkUniversalForwarder\bin
    .\splunk.exe restart

Results

When you have completed all of the tasks described in Enable External Analytics Features and Enabling an External Tool for Data Analytics, the Bit9-Splunk integration is complete and data from Carbon Black App Control should begin flowing to Splunk.