Perform the following procedure to install the Splunk App for Carbon Black App Control on the Carbon Black App Control Server.
Procedure
- Search for and download the Splunk App for Carbon Black App Control from the Splunk apps website: https://splunkbase.splunk.com.
- Copy the downloaded file. For example: cb-protection-app-for-splunk_20.tar.gz to the \etc\apps subdirectory under the Splunk Forwarder installation directory. For example, if you are running a 64-bit OS on the Carbon Black App Control Server, copy the file to C:\Program Files\SplunkUniversalForwarder\etc\apps\.
Note: Numbers at the end of the file name vary with app version changes.
- Unzip and untar the file.
- Go into the bit9-secapp directory and create a new directory named local.
- Copy default\inputs.conf into the local directory.
- Edit the first line of local\inputs.conf to point to the location of the Export Directory configured on the System Configuration/External Analytics page of the Carbon Black App Control Console, and save the file. For example, if the Export Directory on the Carbon Black App Control Server is D:\Bit9\LogFiles, change the first line of inputs.conf to [monitor://D:\Bit9\LogFiles\*.bt9].
- At a command prompt, restart the Splunk Forwarder:
cd \Program Files\SplunkUniversalForwarder\bin
.\splunk.exe restart