Complementing Splunk SIEM with Jamf Pro inventory
Splunk Enterprise is a self-hosted version of Splunk — a security information and event management (SIEM) solution that allows organizations to collect, index, report, and present data from multiple sources. Since fdew months there is a new option in Splunk to connect with Jamf Pro, an Apple Device Management, MDM and Inventory solution.
Once desired data is in Splunk, it’s simple to start searching across log, event and other data. This time with Splunk, we’ll look how inventory data is pulled from Jamf Pro into Splunk Enterprise with a dedicated Splunk Add-on.
For this tutorial, we will set up a test instance of Splunk Enterprise running on Ubuntu 20.04LTS. Splunk Enterprise requires Python and will be able to install on Windows, Linux, and for test purpose will even run on macOS.
The current version of Splunk Enterprise is 8.0.5; the environment is running in Python 2.7 — note this version is EOL(end of life) — Splunk Enterprise already warns you about the future change to a Python 3.x environment. Be aware of planning for some extra maintenance shortly.
The friendly folks at Jamf have written an excellent technical paper how to integrate Splunk with Jamf Pro to pull data from an “Advanced Computer/Mobile Search” — https://docs.jamf.com/technical-papers/jamf-pro/splunk/10.9.0/Introduction.html
This posting is intended to accompany that guide.
A note! This article assumes you’re a bit familiar with Jamf components such as advanced search, display inventory settings, add a user for Jamf Pro API access .
Create a Splunk Account
Installing Splunk Enterprise on Ubuntu is remarkably simple, to get hands-on the deb file to install, you need to register an account. Also note our Splunk Enterprise deployment runs in a limited 60-day trial time and will expire — for the procurement of a Splunk license reach out to a Splunk sales contact on their website.
- Go to Splunk website here
- To create your Splunk Account, provide all details.
- Press the “Create Your Account Button”
- Wait a moment, see your Email inbox, then validate your email address.
- Log in with your credentials.
- Navigate to the “Get started” section here.
- Click the “Get Started With Splunk Enterprise” button.
The full documentation for Splunk Enterprise is here.
The Jamf Pro technical paper, as mentioned earlier, is here.
A Note! Steps to begin with Splunk Cloud are explained at the beginning of another post on Splunk here.
Installing Splunk Enterprise in Ubuntu
Splunk does provide base instructions to install Splunk enterprise on all supported platforms. As it’s the most simple setup, we’ll use Ubuntu 20.04 LTS in our example.
- Download the Linux Installation Package — download the
.deb
file
2. Copy over the .deb
file via ssh to the Ubuntu Server
3. Install Splunk Enterprise with dpkg
from the .deb
file
sudo dpkg -i /tmp/splunk-8.0.5-a1a6394cc5ae-linux-2.6-amd64.deb
4. Enable Splunk at boot
sudo /opt/splunk/bin/splunk enable boot-start
5. Agree to the license
6. Create admin user to login to Splunk Enterprise
7. Start the Service
sudo service splunk start
Sign in to Splunk Enterprise
All following steps can be performed in the Splunk web interface.
- In your webbrowser go to your Splunk Enterprise instance, this is running on port 8000 (i.e. splunk.example.com:8000)
- Log in with the admin/password created in Terminal a moment ago
Install the Jamf Add-on
The Jamf Pro add-on is pulling data at a pre-defined interval.
Here is a quick walk-thru on how to install the Jamf Pro Add-On for Splunk from the Splunk web interface.
- Navigate to “Find more Apps” menu
- Search for “jamf”
- Click the “install” button
- Login with your registered Splunk Account
- Install the Add-on
- Restart Splunk Enterprise to complete the installation
- Log in to Splunk again, see the Jamf Add on now available
Advanced Search in Jamf Pro
You can quickly define which data is pulled from Jamf Pro by Splunk — for this, a new “Advanced Search” needs to be created and saved in Jamf. Splunk will retrieve all displayed inventory data from this saved search in a defined interval.
- Log in to Jamf Pro
- Create an “Advanced Search”
- In “Display” section for this saved search, enable inventory fields to be pulled by Splunk
- Save the search with a unique name (needed later in Splunk Add-on conf.)
Setup Jamf Pro Splunk Add-on
Prerequisite: for the next step to work you must have created a dedicated user account in Jamf Pro (auditor role) that allows Splunk connect to the Jamf Pro API (read more about Jamf Pro API here).
- Navigate to the Jamf Pro Add-On in the Splunk Enterprise web interface
- Click the “Create New Input” button
- Set a meaningful Name and define the interval how often Splunk will retrieve inventory data
- In the Sheet provide all details requested: Jamf Pro FQDN — JSS URL, Username/Password, API Call Name (Computers, Mobile Devices), Search Name (corresponding to the advanced search saved in Jamf Pro)
- Save the settings
- Validate your settings
After a short moment, you can start the search in Splunk Enterprise to find inventory data retrieved from Jamf Pro. From here you can explore full search and query features from Splunk.
Summary
This article is written complementary to the Jamf Technical Paper for Splunk (see more links below), and helps speed up testing some exciting features for those folks new to Splunk. If your Organization already use Splunk as a SIEM solution, the quick setup for macOS/iOS/iPadOS/tvOS inventory aggregation for Splunk is a welcome detail to have.
A ashort note about interval based Inventory pull from the Jamf Pro Add-on — this always will fetch full inventory. To see “differential” data about only inventory changes for proper historical change tracking will require significant extra work. Building a nice Dashboards representation for inventory in Splunk will also keep you busy for a while — it is certainly doable and worth it. An option to work with Jamf WebHooks is also a improvment to look into here.
In the circumstances, a “differential” inventory change tracking for macOS & iOS/iPadOS/tvOS is highly desired, a Google Santa, Osquery or other agent-based macOS endpoint event aggregation is planned out to integrate with a Splunk SIEM setup. Have a look at how to leverage Splunk as data store with Zentral — an open-source solution for infrastructure monitoring and endpoint event stream processing.
Also, don’t hesitate to contact us on further questions on all above, and discuss how an individual deployment could look like.
For more info
- Splunk Jamf Pro Add-on: https://splunkbase.splunk.com/app/4729/
- Jamf technical paper: https://docs.jamf.com/technical-papers/jamf-pro/splunk/10.9.0/Installing_and_Configuring_the_Jamf_Pro_Add-on_for_Splunk.html
- Splunk Dashboard tutorial: https://docs.splunk.com/Documentation/Splunk/8.0.5/SearchTutorial/Aboutdashboards
- Article how Enable Splunk as backend for Zentral
- Zentral open source: https://github.com/zentralopensource/zentral