Install the Splunk Add-on for Exposure Analytics

Use the Splunk deployment server to deploy the Splunk Add-on for Exposure Analytics to your Splunk forwarders. To install the add-on, complete the following steps:

Deploy apps to forwarders

Deploy the appropriate apps to your forwarders using a local inputs configuration:

  1. Place the apps in the deployment-apps folder on your deployment server.

  2. Create a local directory in each app and place a local inputs.conf file in each one. See the local inputs.conf files below.

  3. For each type of operating system you deploy to, deploy the apps using an appropriate serverclass. For example, create a serverclass to deploy to all Windows forwarders, and a serverclass to deploy to all Linux forwarders.

Local inputs.conf Files

Before the Splunk Add-on for Exposure Analytics can collect data, you must configure inputs.conf and change the disabled attribute for the stanzas you want to enable to false.

  1. Create a local directory within the app.

  2. Using a text editor, create a new inputs.conf in local for editing.

  3. Use the following local inputs.conf files content to enable the various inputs and place them in the local inputs.conf for each app.

  4. Save the file and close it.

Windows
CODE 
#################################################################### 
## Monitoring of Windows System Info file 
[script://.\bin\ea_get_system_info_ps.bat] 
disabled = false 
 
#################################################################### 
## Monitoring of User details  
[script://.\bin\ea_get_user_details_ps.bat] 
disabled = false 

 
#################################################################### 
## Monitoring of Bitlocker Info file 
[script://.\bin\ea_get_bitlocker_info_ps.bat] 
disabled = false 

 
#################################################################### 
## Monitoring of Windows Network Info file 
[script://.\bin\ea_get_network_info_ps.bat] 
disabled = false
Linux
CODE 
#################################################################### 

## Monitoring of Nix System Info 

[script://./bin/ea_linux_get_system_info.sh] 

disabled = false 

#################################################################### 

## Monitoring of Network Info 

[script://./bin/ea_linux_get_network_info.sh] 

disabled = false 

#################################################################### 

## Monitoring of User details 

[script://./bin/ea_linux_get_user_details.sh] 

disabled = false 

#################################################################### 

## Monitoring of RPM/DEB Installed Software Packages 

[script://./bin/ea_linux_get_packages_list.sh] 

disabled = false
Mac
CODE 
#################################################################### 

## Monitoring of Mac OSx InstalledPrograms 

[script://./bin/ea_osx_get_app_list.sh] 

disabled = false 

#################################################################### 

## Monitoring of Mac OSx System Info 

[script://./bin/ea_osx_get_system_info.sh] 

disabled = false 

#################################################################### 

## Monitoring of Network Info 

[script://./bin/ea_osx_get_network_info.sh] 

disabled = false 

#################################################################### 

## Monitoring of User details 

[script://./bin/ea_osx_get_user_details.sh] 

disabled = false

Uninstall

To uninstall the Splunk Add-on for Exposure Analytics, use forwarder management to remove the deployment apps from your deployment server. See Uninstall an app in the Splunk Enterprise Admin Manual.

Next step

Once deployed, check for data by entering the following search:
CODE 
index=ea_sources sourcetype=ea:ta:asset
Add entity discovery sources for the add-on in Splunk Enterprise Security.

See Predefined entity discovery sources available for the Splunk Add-on for Exposure Analytics.