This tutorial explains how to install, manage, and uninstall version 2.2 of the Code42 app for Splunk. It also provides basic troubleshooting information.
- Code42 environment version 6.x works with Version 2.2 Code42 app for Splunk.
- You must have an existing Splunk Enterprise environment to use the Code42 app for Splunk.
- Code42 cannot provide technical support for Splunk Enterprise. Contact Splunk for help with Splunk Enterprise.
- The device(s) used to run Splunk Enterprise and the Code42 app for Splunk must have network access to the Code42 server on port 4285 (HTTPS) or 4280 (HTTP). Port 4285 is the default port.
Before you begin
Prepare a user account in your Code42 environment for configuring the Code42 app for Splunk. This user is used to authenticate and access data in your Code42 environment.
- Permissions: The Code42 app for Splunk returns data based on the permission level of the role assigned to this user. The SYSADMIN role provides access to data for your entire Code42 environment. If your user’s role has more restrictive permissions, we recommend testing the user permissions to confirm that they can access the desired data.
- Licensing: As a best practice, we recommend creating a user in your Code42 environment that is exclusively used to configure your Code42 app for Splunk. This way, configuration of your Code42 app for Splunk isn’t tied to a particular individual. Users without a Code42 archive will not consume a license.
Install the Code42 app for Splunk
Step 1: Download and install the Code42 app for Splunk
- Download version 2.2 of the Code42 app for Splunk.
- From your Splunk Enterprise server's home page, click the Manage Apps button:
- Click Install app from file.
- Click Choose File.
- Select the Code42 app for Splunk (code42.spl).
- Restart your Splunk Enterprise server to complete the installation.
Step 2: Configure the Code42 app for Splunk
- Sign in to Splunk Enterprise as an administrator.
Splunk Enterprise displays a confirmation message:
- Click Set up now when prompted.
- Enter the full hostname or IP address of your authority server in the Console Hostname field.
- Enter the port used by your authority server in the Console Port field.
The default port is 4285.
- Enter the credentials of the Code42 platform user that you want to use to authenticate with your authority server in the Console Username field.
- Enter the user's password in the Console Password field.
- Confirm the user's password.
- Click Save.
Splunk Enterprise displays the Apps management screen.
Step 3: Test the Code42 app for Splunk
- Go to the home page of your Splunk Enterprise server.
- Click on the Code42 app for Splunk app icon:
- Explore the data generated by the panels.
Manage the Code42 app for Splunk
Add additional data sources
SSL certificate validation
If your authority server uses a self-signed certificate, you can optionally disable SSL certificate validation to avoid displaying an error.
- Click Manage Apps:
- Click the Set up link for the Code42 app for Splunk.
- Disable Require SSL certificate validation.
Troubleshoot the Code42 app for Splunk
- Data may not appear in the panels immediately. Rather, data will update at scheduled intervals. The scheduled intervals are configured to avoid overloading your authority server with requests.
- If data for a panel is missing, confirm that the Code42 environment user account has the necessary permissions to view that data within your Code42 environment.
To use the commands and paths listed below, you must know the path to your Code42 app for Splunk installation, which varies by platform. The path to the Code42 app for Splunk installation is referred to as
<path-to-splunk>below. See the Splunk Enterprise documentation for the default installation directory for your operating system.
The Code42 app for Splunk updates a log file that contains useful information for troubleshooting, including error messages and security warnings. The log file is located at:
Upgrade the Code42 app for Splunk
When a new version of the Code42 app for Splunk is released, uninstall and reinstall the app to upgrade:
- Follow the steps in the section below to uninstall the current Code42 app for Splunk version.
Part of uninstalling the Code42 app for Splunk involves deleting the cache, which removes all existing Code42 data from Splunk Enterprise. This is necessary to prevent duplicate events when you reinstall the newer version; reinstalling the app re-imports all existing historical data from your Code42 environment into Splunk.
If you have data in Splunk that no longer exists in your Code42 environment (such as security archives that were moved to cold storage and deleted), that data will not be re-imported into Splunk. To preserve this information, you need to save the Splunk data before uninstalling the Code42 app for Splunk.
- Follow the steps in the section above to install the latest Code42 app for Splunk version.
Uninstall the Code42 app for Splunk
- Open a terminal window (Linux or Mac) or command prompt (Windows) on your Splunk Enterprise server.
- Run the following command to stop Splunk Enterprise:
- Run the following command to clear the index, which completely removes all data related to the Code42 app for Splunk:
<path-to-splunk>/bin/splunk clean eventdata -index code42
- Run the following command to remove the Code42 app for Splunk:
<path-to-splunk>/bin/splunk remove app code42
For more information on using Splunk Enterprise with your Code42 environment:
Numerous performance and stability improvements, including:
- Better error handling.
- Improvements to logging.
- More accurate event counts.
- Optimized event processing, especially for large numbers (10,000+) of events.
- If a storage server is unavailable, the app now requests events from any other available storage server.
- Corrects a recent issue which prevented the complete set of security events collected for archives stored in the Code42 cloud from being imported to Splunk.
- Corrects an issue in which some administrators were unable to view security events in provider storage environments.
- Support for new features in Code42 server version 5.1, including file content pattern matching, file upload detection and other endpoint monitoring events.
- Other enhancements for security and stability.
- Performance and stability improvements.
- Initial release.