The latest deviceTRUST 21.1.300 for Microsoft Windows is now available to Download.
×

Splunk Dashboards

deviceTRUST includes a Splunk app to easily create a Splunk dashboard to monitor the contextual status of your remoting and DaaS environment.

The License Compliance Templates can be used with the Splunk app to monitor or enforce Device-Based Licensing requirements for one or more applications:

The Device-Based Licensing dashboard
The Device-Based Licensing dashboard

The Splunk Status Report Template can be used to monitor the status of your remoting and DaaS environment:

The Status Report dashboard
The Status Report dashboard

The following steps will be performed:

  1. Step 1: Creating the Splunk Index
    1. Step 1.1: Manually creating the Splunk Index
    2. Step 1.2: Creating the Splunk Index by installing the app
  2. Step 2: Creating the Splunk Data Inputs
  3. Step 3: Importing the Splunk app
    1. Step 3.1: Downloading the Splunk app
    2. Step 3.2: Installing the Splunk app
  4. Step 4: Configuring deviceTRUST
    1. Step 4.1: The Device-Based Licensing Report
    2. Step 4.2: The Status Report

Step 1: Creating the Splunk Index

Splunk collects data in indexes which holds the log data and make it searchable. There are different methods for working with indexes. Data can, for example, flow into one common index. Alternatively, multiple indexes can be created, one for each use case or scenario.

The deviceTRUST reports use one common index devicetrust for storing the data. The separation for the different uses cases is done by applying sourcetypes devicebasedlicensing and statusreport.

Our deviceTRUST reports are built on the described combination of index and sourcetypes. If your implementation differs, the reports will have to be adjusted accordingly. Make sure to let us know, we’ll happily assist.

The relationship between indices and sourcetypes
The relationship between indices and sourcetypes

You can either create the index devicetrust manually or by importing our prepared app dt_index.

Step 1.1: Manually creating the Splunk Index

Implementing the index manually does not require any special configuration.

  • Open your Splunk management GUI
  • Navigate to Settings\Indexes and click New Index.
The Splunk indices
The Splunk indices
  • Set the name to devicetrust and all other options are optional.
Creating the index
Creating the index
  • Click Save and the index will be created.
The created index
The created index

Step 1.2: Creating the Splunk Index by installing the app

To create the index from the app, please refer to Step 3.2: Installing the Splunk app within this guide. The app dt_index does not contain any elements besides the index definition for the index devicetrust.

Step 2: Creating the Splunk Data Inputs

Data is sent to the Splunk server by using REST API calls. Splunk needs to be configured to accept http-based inputs. An authentication token is generated, that will be added to the deviceTRUST Console configuration later.

  • Open your splunk management GUI and navigate to Settings\Data Inputs.
The Data Inputs
The Data Inputs
  • Select HTTP Event Collector
  • Click `New Token
Creating a new HTTP Event Collector token
Creating a new HTTP Event Collector token
  • Set a name of your choice.
  • All other settings are optional.
Selecting the source
Selecting the source

Input settings does, for example, allow to restrict access for this data input to certain indexes. Any of these settings may be relevant for your environment. The function of the deviceTRUST reports will not be affected by setting them.

Defining the optional input settings
Defining the optional input settings
  • Review the Settings.
  • Click Submit.
Reviewing the token
Reviewing the token
  • The created token is shown.
Succesfully created token
Succesfully created token
  • The created token is also be displayed in the token overview page.
The token displayed on the token overview page
The token displayed on the token overview page

Additionally, the http input method has to be configured. In the most basic configuration, we make sure SSL is not active and all tokens are enabled.

These settings may differ in your environment. The function of the deviceTRUST reports will not be affected by setting them accordingly.

  • Open your splunk management GUI and navigate to Settings\Data Inputs\HTTP Data Collector
  • Click Global Settings
  • Set All Tokens to Enabled.
  • Set Enable SSL to Off.
The HTTP Event Collector Global Settings
The HTTP Event Collector Global Settings

Step 3: Importing the Splunk app

Step 3.1: Downloading the Splunk app

The deviceTRUST reports are delivered as Splunk apps. The apps is available from the deviceTRUST GitHub repository.

  • Navigate to the repository and find the Splunk apps.
The Splunk apps within the deviceTRUST GitHub repository
The Splunk apps within the deviceTRUST GitHub repository
  • The apps are provided as “spl” files which should be downloaded.
Downloading the Splunk apps
Downloading the Splunk apps
  • Alternatively the “spl” files can be synchronized via the GIT command line.
Synchronising the Splunk apps using git
Synchronising the Splunk apps using git
  • With the apps available locally, they can be imported into Splunk.
Importing Splunk apps
Importing Splunk apps

Step 3.2: Installing the Splunk app

All three deviceTRUST apps are installed the same way. Thus, the app installation is described by using one example.

  • Open your Splunk management console.
  • Click Manage Apps in the apps menu.
Clicking Manage Apps
Clicking Manage Apps
  • Click Install app from file.
Clicking Install app from file
Clicking Install app from file
  • Click Choose File.
Uploading an app
Uploading an app
  • Select your app file.
Selecting your app file
Selecting your app file
  • Confirming your selection.
  • Optionally select to upgrade apps, if applicable.
  • Click Upload.
Uploading your app
Uploading your app
  • Splunk will ask to restart the service. This is only required after importing the last app.
  • Choose Restart Now or Restart Later accordingly.
Restarting the Splunk service
Restarting the Splunk service
  • The menu Apps\Manage Apps displays all apps that are installed in your Splunk environment.
Viewing all apps within your Splunk environment
Viewing all apps within your Splunk environment

Step 4: Configuring deviceTRUST

After the the index has been created, the data input object added and all apps have been imported, Splunk is ready to accept, store and compute data for the deviceTRUST reports.

As both reports Device-Based Licensing and Status Report differ in their details, both are described here separately.

Step 4.1: The Device-Based Licensing Report

This step describes the configuration to be added to the deviceTRUST Console to send Device-Based Licensing data to Splunk.

The integrated templates contain all elements that are required to fully configure the agent for the Device-Based Licensing of five example applications. These five example applications can be easily edited for your own applications, or cloned to represent new applications. The elements are contexts, actions, messages and settings.

  • Open the deviceTRUST Console.
  • Click Sharing in the top right menu. You may need to click Show Advanced View if this button is not visible.
The Sharing button
The Sharing button
  • Select Import Template
Importing a Template
Importing a Template
  • The report Device-Based Licensing can be found within the template category License Compliance when Remoting is selected.
The License Compliance template category
The License Compliance template category
  • The category contains templates for different example applications. We use Adobe Acrobat DC as an example here.
The Acrobat DC template
The Acrobat DC template

Two contexts are included within the template:

  • Adobe Acrobat DC Licensed Status to evaluate the device license status.
  • Adobe Acrobat DC User to define if the accessing user is licensed to use the software.
The Acrobat DC contexts
The Acrobat DC contexts

Three actions are included within the template:

  • Adobe Acrobat DC Licensed Device - Conditional Application Access - FSLogix App Masking is used for application control via FSLogix App Masking and can be ignored or deleted for the reporting use case.
  • Adobe Acrobat DC Licensed Device - Conditional Application Access - Microsoft AppLocker is used for application control via Microsoft AppLocker and can be ignored or deleted for the reporting use case.
  • Adobe Acrobat DC Licensed Device - Conditional Application Access - Reporting the only action required for reporting.
The Acrobat DC actions
The Acrobat DC actions
  • The action contains uses the Web Request task to send data to Splunk. The Audit Event, Custom Process and also the Web Request tasks for ELK Stack and Graylog can be deleted, as we are configuring Splunk here.
The Acrobat DC reporting tasks
The Acrobat DC reporting tasks
  • The Splunk Web Request task needs to be edited to suit your environment. If you do not require SSL transport, you’ll only have to configure your server’s fqdn and the authorization token (http data input). Make sure to leave the keyword splunk and only add/change your authorization token’s GUID.
Configuring the Splunk Web Request task
Configuring the Splunk Web Request task

The use case has successfully been configured. deviceTRUST will now send Device-Based Licensing data on every access to the Splunk server. The data will be presented using dashboards.

The Device-Based Licensing dashboard
The Device-Based Licensing dashboard

Step 4.2: The Status Report

This step describes the configuration, that is to be added to the deviceTRUST console to send Status Report data to splunk.

Our integrated templates contain all elements that are required to fully configure the agent for the Device-Based Licensing of five example applications. The elements are contexts, actions, messages and settings.

  • Open the deviceTRUST console and click Sharing in the top right menu.
The Sharing button
The Sharing button
  • Select Import Template
Importing a Template
Importing a Template
  • The Status Report template can be found within the template category Status Report when Remoting is selected.
The Status Report template category
The Status Report template category
  • This category contains templates for several ways of storing data. Choose Splunk.
The Splunk template
The Splunk template
  • The imported template consists of 50 contexts and one action.
  • The Action Status Report – Splunk collects all relevant data and sends them over to Splunk.
The Status Report - Splunk action
The Status Report - Splunk action
  • Sending data to Splunk is configured by using a Web Request task.
The Web Request task used to send data to Splunk
The Web Request task used to send data to Splunk

The Web Request task needs to be edited to suit your environment. If you do not require SSL transport, you’ll only have to configure your server’s fqdn and the authorization token (http data input). Make sure to leave the keyword splunk and only change your authorization token’s GUID.

Editing the Web Request task to suit your environment
Editing the Web Request task to suit your environment

The use case has successfully been configured. deviceTRUST will now send Status Report data on every access to the remoting platform to the splunk server. There, the data will be presented using dashboards.

The Status Report dashboard
The Status Report dashboard