Introduction

This article, along with the attached guide at the bottom of the page, provides step-by-step instructions for installing and setting up Authentic8 Silo Add-on (TA) for Splunk Enterprise. Authentic8 Silo Add-on for Splunk | Splunkbase 


Prerequisites:

  • Access to Splunk Online Portal:
  • A Silo account with administrator access for your organization
  • A Silo Service Account and associated Log API Auth Token (by request)
  • An existing server running a supported operating system and version of software

Supported Splunk Versions:

  • Splunk Enterprise version 8.x, 9.x
  • Splunk Cloud with heavy forwarders

Supported Operating Systems:

  • Red Hat Enterprise Linux (RHEL)
    • Versions: 7.x, 8.x, 9.x
  • Debian
    • Versions: 9.x, 10.x, 11.x, 12.x
  • Ubuntu
    • Versions: 16.x, 18.x, 20.x, 22.x

Required Dependencies for Splunk Add-On:

  • RHEL Package Dependencies:
    • libmpc, libmpc-devel, gmp-devel, gcc, mpfr, mpfr-devel, gmp
  • Debian/Ubuntu Package Dependencies:
    • libgmp-dev, libmpfr-dev, libmpc-dev


Supported Log Types:

  • URL
  • DOWNLOAD
  • UPLOAD
  • SESSION
  • AUTH (authentication logs for Silo session ONLY)
  • ADMIN_AUDIT
  • LOCATION CHANGE
  • BLOCKED URL
  • TRANSLATION
  • A8SS (Secure Storage)
  • HARVEST (covers both Harvester and Collector use)
  • ENC (Log type if Log Encryption is Enabled)


Known Limitations:

We currently only support the management of 91 different private encryption keys. If you need support for more than 91 keys, please submit a support ticket.


Known Issues:

  • Compatibility Issues: Does not work on Splunk running on a server with a Windows Operating System.
  • Configuration Errors: If incorrect input is provided during configuration after the add-on is installed, no Splunk errors are thrown. The errors, including an incorrect private key for encryption or API token, will be located in the add-on logs (ta-authentic8.log).
    • If the mistake does not cause an error (e.g., using the wrong Org name), no errors will appear in the logs or Splunk UI. However, the ta-authentic8.log file will indicate that nothing is being collected during the interval, showing "No data is available" and sequence ID as 0 for all log types unless the add-on has been successfully run in the past.
  • Multiple Organizations: The add-on does not support pulling logs for two top-level Silo Organizations as the sequence IDs for the logs between the two organizations will differ. However, there are no issues with pulling multiple sub-orgs in addition to the parent organization.
  • Dependency Installation: If you install the application without installing the dependencies, the following error will show up in Splunk: "Unable to initialize modular input 'authentic8' defined in the app 'TA-authentic8': Introspecting scheme=authentic8: script running failed (exited with code 1)." This cannot be solved by installing the dependencies afterward but will require removing the Authentic8 Splunk Add-on completely, installing the dependencies, and then reinstalling the add-on.
  • Sub-dependencies: Dependencies such as libgmpxx4ldbl and libmpc3, which are sub-dependencies, can also cause similar errors.


Additional Resources:

Download the complete Splunk Enterprise Installation and Configuration Guide.


Additional Notes  

Please contact Support if you have any additional questions and/or require further information.