Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. Weโ€™ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Splunk documentation #386

Merged
merged 11 commits into from
Aug 12, 2024
Merged
Show file tree
Hide file tree
Changes from 6 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions custom-words.txt
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ keypair
keyserver
Kubebuilder
LDIF
libmagic
LLDB
Mailcatcher
minio
Expand Down
104 changes: 104 additions & 0 deletions docs/getting-started/enterprise/splunk-app.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,104 @@
# Splunk App

The Bitwarden Splunk app fetches event log data from the Bitwarden Public API and makes it available
in Splunk.

## Requirements

- Docker. If you're using an Apple Silicon Mac, enable _Docker Desktop_ -> _Settings_ -> _General_
-> _Use Rosetta for x86_64/amd64 emulation on Apple Silicon_
- Python 3.8 or 3.9
Copy link
Contributor

@mzieniukbw mzieniukbw Jul 19, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have just tested other python versions and it works fine with 3.7-3.10
In 3.11 and 3.12 the ./package.sh step produces an error during splunk-appinspect package validation - looks like the splunk tooling is not compatible with never versions of python.
Also let's add 3.7, even though it's EOL, since it's it is still supported by Splunk.

Suggested change
- Python 3.8 or 3.9
- Python 3.7-3.10

- [Poetry][poetry]
- libmagic (macOS only), available via homebrew: `brew install libmagic`
- A Bitwarden server with event logging configured and an enterprise organization. To set this up
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • Event logging works out of the box, there is nothing to configure - unless it's some custom self-hosted setup, which does not have event logging enabled.
  • Event logging works on any business plan, including Teams - makes me wonder if this does belongs to the "Enterprise" section ๐Ÿค”

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • event logging - that's true, I've amended this to be more specific. Many devs, myself included, just run the minimum api & identity projects when developing day-to-day, so I want to highlight the additional requirements here
  • plan requirements - also true! I've fixed this. The "Enterprise" category is meant to describe enterprise use (business use), not the enterprise plan specifically, maybe it could be better named. Directory Connector is under this category and that is also compatible with Teams plans.

locally, see the [Setup Guide](../server/guide.md) and [Event Logging](../server/events.md)

## Set up and configuration

### Configure your environment

1. Clone the Github repository:

```
git clone https://github.com/bitwarden/splunk.git
```

2. Navigate to the root of the repository:

```
cd splunk
```

3. Activate the poetry shell:

```
poetry shell
```

4. Tell poetry to use the required Python version:

```
poetry env use <executable>
```

Where `<executable>` is the executable for Python 3.8 or 3.9. If this is in your PATH variable
then you do not need to specify the full path. e.g. `poetry env use python3.8`

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i just did a fresh test and i think this should be the other way around.
We firstly tell poetry to create the virtual environment for the python version we want to use.
And then we activate it with poetry shell

5. Install dependencies:

```
poetry install --with dev
```

### Set up Splunk Enterprise

1. Run Splunk Enterprise:

```
docker run --rm --platform linux/amd64 --name splunk -d -p 8001:8000 -p 8089:8089 -e SPLUNK_START_ARGS='--accept-license' -e SPLUNK_PASSWORD='password' splunk/splunk:latest
```

Please note this will set the admin password to `password`. This is for development purposes
only.

2. Confirm that Splunk is running by navigating to http://localhost:8001

### Deploy the app

1. Package the app:

```
./package.sh
```

This will produce a packaged Splunk app in `output/bitwarden_event_logs.tar.gz`

2. Deploy the app to Splunk:

```
./deploy.sh
```

This will restart Splunk and it may take a few seconds to become available again after the script
is finished

3. (optional) Check the logs for errors or for debugging purposes later:
```
docker exec -u splunk -it splunk tail -f /opt/splunk/var/log/splunk/bitwarden_event_logs_beta.log
```

### Configure the app in Splunk

1. Navigate to the Splunk web app: http://localhost:8001

2. Log in with the username `admin` and the password `password`

3. Click on the _Apps_ -> _Bitwarden Event Logs_

4. Complete the setup. Refer to the [Bitwarden Help Center][Bitwarden Splunk SIEM] for more
information about configuration

You should now see your organization events in _Apps_ -> _Bitwarden Event Logs_ -> _Dashboards_.

[Bitwarden Splunk SIEM]: https://bitwarden.com/help/splunk-siem/
[poetry]: https://python-poetry.org/docs/#installation