To enable a Splunk server to import Carbon Black App Control data for analysis, you must make modifications on both the system hosting the Carbon Black App Control Server and the Splunk server. The summary of these steps is as follows:
- Have a Splunk Server running and network-accessible to the Carbon Black App Control Server.
- Set up the Splunk Server to receive messages from the Splunk Forwarder. See Set up the Splunk Server to Receive Splunk Universal Forwarder Messages.
- Install the Splunk App for Carbon Black App Control on the Splunk Server. See Install the Splunk App for Carbon Black App Control on the Splunk Server.
- Install the Splunk App for Carbon Black App Control on any machines running Splunk Indexer that are not on the machine running Splunkweb.
- Install the Splunk forwarder on the Carbon Black App ControlServer. See Install the Splunk Forwarder on the Carbon Black App Control Server
- Install the Splunk App for Carbon Black App Control on the Splunk Forwarder. See Install the Splunk App on the Carbon Black App Control Server.
Note:
Instructions for setting up the Carbon Black App Control App for Splunk also exist on the Splunk web site and might be more recent than those provided here. See: https://splunkbase.splunk.com/app/1790/#/details.
