Splunk Client Policy Configuration Items

In the Client Policy Builder, the following configuration items appear for the Tenable Log Correlation Engine Splunk Client.

The following table lists the configuration items that are valid for the Tenable Log Correlation Engine Splunk Client, and provides a brief description of each.

Configuration Item Description Valid Values

Splunk server

The IP addresses of one or more Splunk servers that are sending data to the Tenable Log Correlation Engine Splunk Client.

Note: The Tenable Log Correlation Engine Splunk Client requires at least one IP address to be entered in order to receive data. If no Splunk servers are added, the Tenable Log Correlation Engine Splunk Client will not open the Listen port.

In order for the Splunk Client to function, you will need to edit the Client policy, include the required syntax noted below, and specify your Splunk server.

XML Example:

<splunk-server>192.0.2.10</splunk-server>

One IP address per entry.
Listen port

The port to which the Splunk servers are sending data.

XML Example:

<listen-port>8000</listen-port>

An integer from 1024 to 65535. Privileged ports (lower than 1024) are not valid for this configuration item.
Syslog server

The IP address or hostname and port number of the syslog server that you want the Tenable Log Correlation Engine Splunk Client to forward events to in addition to the Tenable Log Correlation Engine server.

XML Examples:

<syslog-server>192.0.2.10:8000</syslog-server>

<syslog-server>corpnet8557:8000</syslog-server>

<IP or Hostname>:<Port Number>, where

  • <IP or Hostname> is an IP address, or a hostname that is a maximum length of 46 characters.
  • <Port Number> is an integer from 1 to 65535.
Delimiter

The custom delimiters that you want to apply to parse events in Splunk logs. You can include multiple Delimiter entries in your policy.

Note: By default, the policy includes the delimiter for Windows multiline logs. This delimiter is not required by the policy.

XML Example:

<delimiters>

<delimiter>

<start>\d{1,2}/\d{2}/\d{4} \d{2}:\d{2}:\d{2} (A|P)M</start>

        <end>[^\r]\n</end>

    </delimiter>

</delimiters>

See Delimiters
Log directory

Directory containing files, named according to the date, that contain Tenable Log Correlation Engine Splunk Client log messages.

XML Example:

<log-directory></log-directory>

A path to an existing directory.
Client heartbeat frequency

Caution: This configuration item is deprecated for versions 4.6 and later of the Tenable Log Correlation Engine Splunk Client. Client heartbeat period should be used instead.

XML Example:

<heartbeat-frequency>600</heartbeat-frequency>

No valid values.
Client heartbeat period

The number of seconds between each client heartbeat message to the Tenable Log Correlation Engine server. If not used or set to 0, the client will not send heartbeats.

XML Example:

<heartbeat-period>600</heartbeat-period>

An integer.
Client statistics frequency

Caution: This configuration item is deprecated for versions 4.6 and later of the Tenable Log Correlation Engine Splunk Client. Client statistics period should be used instead.

XML Example:

<statistics-frequency>60</statistics-frequency>

No valid values.
Client statistics period

The number of minutes between each client host performance statistics report (CPU, Disk Space, and Physical Memory) to the Tenable Log Correlation Engine server. If not used or set to 0, client statistics will not be sent.

XML Example:

<statistics-period>60</statistics-period>

An integer.
Compress events

Whether client will compress log data prior to sending it to the Tenable Log Correlation Engine server in order to save bandwidth. Recommended except when debugging. If set to 0, events will not be compressed.

XML Example:

<compress-events>1</compress-events>

0 (off) or 1 (on)
Compression level

Compression level to use when compressing events for transmission across network using zlib, set on a scale from 1 to 9. 1 provides the least amount of compression, resulting in minimum CPU usage and minimum bandwidth savings; 9 maximizes compression, resulting in increased CPU usage and maximum bandwidth savings. Ignored unless compression is enabled.

XML Example:

<compression-level>5</compression-level>

An integer from 1 to 9.
Minimum compression ratio

Defines the minimum acceptable savings ratio for event data being transmitted across the network, in terms of (bytes total) / (bytes compressed). If the client determines a savings ratio of less than this value, then event data will not be compressed before sending. This reduces the effort on the Tenable Log Correlation Engine Server decompressing event data when compression benefits are minimal. Ignored unless compression is enabled.

XML Example:

<minimum-compression-ratio>1.5</minimum-compression-ratio>

A decimal number.
Minimum compression input size

The minimum number of bytes a packet must have to be compressed. Ignored unless compression is enabled.

XML Example:

<minimum-compression-input-size>2048</minimum-compression-input-size>

An integer greater than 0.
Debug level

Controls the debugging information that is logged.

XML Example:

<debug-level>NONE</debug-level>

One of the following values:

  • NONE
  • VERBOSE
  • INFO
  • WARN
  • ERROR
Event queue timeout

Maximum number of seconds between event messages the client sends to the Tenable Log Correlation Engine server.

XML Example:

<event-queue-timeout>30</event-queue-timeout>

An integer greater than 0.
Local IP net

If a host has multiple network connections, allows you to specify which network to use. If not set or if the CIDR does not match any networks, the client will use the first network connection detected.

XML Example:

<local-ip-net>192.0.2.0/8</local-ip-net>

A CIDR.
Event file

Path to file for receiving events. Relative paths are interpreted to start at the client's installation directory.

XML Example:

<write-events-to-file></write-events-to-file>

A path to an existing file.
Write events to standard output

Whether to write events to standard output (stdout). Any event picked up by the Tenable Log Correlation Engine Splunk Client will have the raw log printed to the stdout of the client, the default being a terminal session, before the client sends it to the Tenable Log Correlation Engine server to be processed. This configuration item is useful for debugging and troubleshooting.

XML Example:

<write-events-to-stdout>0</write-events-to-stdout>

0 (off) or 1 (on)