2.2. Inputs

The MetaAccess Add-on for Splunk ingests MetaAccess Logs to the MetaAccess:Logs sourcetype and other API inputs to MetaAccess:API sourcetype.

The Add-on provides Get Admin Logs, Get Device Logs, Get Vulnerabilities, Get Account Details, and Get Devices inputs OOTB. All of the inputs are disabled by default as per Splunk’s best practices. Once a user configures an account and has the appropriate index ready, these inputs should be edited to include the desired account and index before enabling them. Alternatively, you can clone the original inputs and edit the cloned inputs. Attempting to delete the inputs provided OOTB will result in an error. This is because the configuration of these inputs is provided within the default directory, instead of the local directory like user-created inputs. To delete these inputs, you must open the default/inputs.conf configuration file in a text editor, locate the stanza of the desired input, and remove it. After saving the default/inputs.conf file, you must restart Splunk to apply the change.

You can follow the below steps to configure a new input:

  1. Login to the Splunk Web UI.

  2. Go to the Inputs page of the OPSWAT MetaAccess Add-on.

  3. Click on the Create New Input button and select the appropriate input type for your needs.

images/download/attachments/2568842/create_a_new_input.png

4. Fill in the appropriate details in the dialog.

Details for each input can be found below