Erstellen und Hochladen eines Splunk HTTP Event Collector Konfigurationsprofils

Wenn Sie Splunk als SIEM-Software verwenden und HTTP Event Collector für Berichte nutzen wollen, wird empfohlen ein Splunk HTTPS Event Collector Konfigurationsprofil in Jamf Pro zu konfigurieren. Jamf Pro ist eine MDM-Lösung, mit der Administratoren Einstellungen für Compliance Reporter konfigurieren und Compliance Reporter auf Zielcomputern bereitstellen. Anweisungen für die Splunk HTTP Event Collector Konfiguration finden Sie unter Set up and use HTTP Event Collector in Splunk Web (HTTP Event Collector in Splunk Web einrichten und verwenden) in der Splunk Enterprise Dokumentation.

  1. Klicken Sie oben in der Seitenleiste in Jamf Pro auf Computer .
  2. Klicken Sie in der Seitenleiste auf Konfigurationsprofile .
  3. Klicken Sie auf Hochladen .
  4. Laden Sie ein Konfigurationsprofil wie das folgende hoch und ändern Sie dabei die Einstellungen nach Bedarf:
    <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>PayloadContent</key> <array> <dict> <key>PayloadContent</key> <dict> <key>com.jamf.compliancereporter</key> <dict> <key>Forced</key> <array> <dict> <key>mcx_preference_settings</key> <dict> <key>AuditEventExcludedProcesses</key> <array> <string>/usr/sbin/mDNSResponder</string> <string>/usr/sbin/syslogd</string> <string>/Applications/splunk/bin/splunk-optimize</string> </array> <key>AuditEventExcludedUsers</key> <array> <string>_spotlight</string> <string>_windowserver</string> </array> <key>AuditEventLogVerboseMessages</key> <false/> <key>AuditLevel</key> <integer>1</integer> <key>FileEventExclusionPaths</key> <array> <string>/Applications/splunk.*</string> </array> <key>FileEventInclusionPaths</key> <array> <string>/usr/lib/pam/.*</string> <string>/Library/Launch.*</string> <string>/Library/StartupItems/.*</string> <string>/Library/Extensions/.*</string> <string>/Library/Preferences/.*</string> <string>/Library/PrivilegedHelperTools/.*</string> <string>/private/etc/.*</string> </array> <key>LicenseEmail</key> <string>example@mycompany.com</string> <key>LicenseExpirationDate</key> <string>dd/mm/yyyy</string> <key>LicenseKey</key> <string>35c...</string> <key>LicenseType</key> <string>Trial</string> <key>LicenseVersion</key> <string>1</string> <key>LogFileMaxNumberBackups</key> <integer>10</integer> <key>LogFileMaxSizeMegaBytes</key> <string>50</string> <key>LogFileOwnership</key> <string>root:wheel</string> <key>LogFilePermission</key> <string>644</string> <key>LogRemoteEndpointEnabled</key> <true/> <key>LogRemoteEndpointREST</key> <dict> <key>PublicKeyHash</key> <string>7E1DDE57-CEA3-4872-A477-CD2D6B640AFB</string> </dict> <key>LogRemoteEndpointType</key> <string>Splunk</string> <key>LogRemoteEndpointURL</key> <string>https://splunk.company.com:8088/services/collector/raw</string> <key>UnifiedLogPredicates</key> <array> <string>(subsystem == "com.apple.AccountPolicy")</string> </array> </dict> </dict> </array> </dict> </dict> <key>PayloadDescription</key> <string></string> <key>PayloadDisplayName</key> <string>Custom</string> <key>PayloadEnabled</key> <true/> <key>PayloadIdentifier</key> <string>ACE8C1E0-2CA9-47F9-95EA-092964CAB3EE</string> <key>PayloadOrganization</key> <string>Jamf inc</string> <key>PayloadType</key> <string>com.apple.ManagedClient.preferences</string> <key>PayloadUUID</key> <string>ACE8C1E0-2CA9-47F9-95EA-092964CAB3EE</string> <key>PayloadVersion</key> <integer>1</integer> </dict> </array> <key>PayloadDescription</key> <string></string> <key>PayloadDisplayName</key> <string>Splunk HEC Compliance Reporter Preferences</string> <key>PayloadEnabled</key> <true/> <key>PayloadIdentifier</key> <string>8ECC25AC-0DAB-40D1-8E9F-2A7275315FDA</string> <key>PayloadOrganization</key> <string>Jamf inc</string> <key>PayloadRemovalDisallowed</key> <true/> <key>PayloadScope</key> <string>System</string> <key>PayloadType</key> <string>Configuration</string> <key>PayloadUUID</key> <string>8ECC25AC-0DAB-40D1-8E9F-2A7275315FDA</string> <key>PayloadVersion</key> <integer>1</integer> </dict> </plist>
  5. Klicken Sie auf Speichern .