WALLIX Bastion Technology Add-on for Splunk

Seamlessly integrate WALLIX Bastion PAM logs with Splunk for enhanced security monitoring and automated response

Features • Installation • Configuration • Dashboards • Support

---

Overview

The WALLIX Bastion Technology Add-on (TA-WALLIX_Bastion) is the official Splunk integration for WALLIX Bastion, enabling organizations to centralize, analyze, and respond to privileged access activities in real-time.

WALLIX Bastion is an enterprise-grade Privileged Access Management (PAM) solution that secures and monitors access to critical infrastructure. This add-on bridges WALLIX Bastion with Splunk to provide:

• 🔍 Deep visibility into privileged sessions and access patterns
• 📊 Real-time dashboards for security operations teams
• 🚨 Automated alerting on suspicious activities
• ⚡ Remote session termination via API integration
• 📈 Compliance reporting for audit requirements

Technical Specifications

Property	Details
Version	1.0.6
Author	WALLIX
Compatibility	Splunk Enterprise 7.0+, Splunk Cloud
Platforms	Linux, Windows, macOS
Type	Technology Add-on (TA)

---

Features

🔎 Intelligent Data Parsing

Automatically extracts 30+ fields from WALLIX Bastion logs with zero configuration:

• Identity & Access: Users, accounts, devices, source/target IPs
• Session Metadata: Session IDs, duration, status, termination reasons
• Security Context: Authentication methods, key fingerprints, MFA status
• Activity Tracking: Commands executed, files transferred, system events
• Audit Trail: Complete forensic data for compliance and investigations

📊 Pre-built Dashboards

1. Connections Overview

Real-time monitoring of bastion access with:

• Authentication success/failure rates
• Active vs. terminated sessions
• Geographic distribution of access attempts
• Temporal analysis with trend visualization

2. User Activity Analysis

User-centric views featuring:

• Per-user session statistics and patterns
• Access duration analytics
• Target system inventory per user
• Behavioral anomaly detection

3. Systems Audit Trail

Forensic-grade activity logging:

• Command execution history with full context
• File transfer monitoring (upload/download)
• System-level event correlation
• Searchable audit trail for investigations

⚡ Automated Response

Kill Session Alert Action

Terminate suspicious sessions automatically based on defined criteria:

• API-driven: Direct integration with WALLIX Bastion REST API
• Context-aware: Preserve session metadata for post-incident analysis
• Configurable: Define custom termination triggers and policies
• Auditable: All automated actions logged for compliance

🎛️ Configuration Management

Web-based configuration interface for:

• WALLIX Bastion URL and credentials
• API key management (encrypted storage)
• Connection pooling and timeout settings
• Custom field mapping and extraction rules

---

Quick Start

Prerequisites

• Splunk Enterprise 7.0+ or Splunk Cloud
• WALLIX Bastion instance with syslog configured
• Administrator permissions on Splunk
• Network connectivity between Splunk and WALLIX Bastion

Installation

Method 1: Splunk Web (Recommended)

1. Navigate to Apps > Manage Apps in Splunk Web
2. Click Install app from file
3. Upload TA-WALLIX_Bastion-1.0.6.spl
4. Restart Splunk when prompted

Method 2: Command Line

cd $SPLUNK_HOME/etc/apps/
tar -xzf TA-WALLIX_Bastion-1.0.6.spl
$SPLUNK_HOME/bin/splunk restart

Method 3: Deployment Server

# Place in deployment apps directory
cp TA-WALLIX_Bastion-1.0.6.spl $SPLUNK_HOME/etc/deployment-apps/

# Configure serverclass.conf
[serverClass:wallix_bastion]
whitelist.0 = *

[serverClass:wallix_bastion:app:TA-WALLIX_Bastion]
restartSplunkd = true

# Reload deployment server
$SPLUNK_HOME/bin/splunk reload deploy-server

---

Configuration

Step 1: Configure Data Inputs

Option A: UDP Syslog

# inputs.conf
[udp://514]
sourcetype = WB:syslog
index = wallix_bastion
no_appending_timestamp = true

Option B: TCP Syslog

# inputs.conf
[tcp://514]
sourcetype = WB:syslog
index = wallix_bastion
connection_host = ip

Step 2: Configure WALLIX Bastion

1. Access WALLIX Bastion admin interface
2. Navigate to Configuration > Logs > Syslog
3. Add Splunk server:
   • Host: <splunk_ip>
   • Port: 514
   • Protocol: UDP or TCP
   • Format: RFC 5424 or legacy
4. Select events to forward (recommended: all audit events)

Step 3: Configure Add-on Settings

Via Splunk Web

1. Go to Apps > WALLIX Bastion > Configuration

2. Enter connection details:

   WALLIX Bastion URL: https://bastion.company.com
   API Key: [Your API key]
   

Via Configuration File

# ta_wallix_bastion_settings.conf
[additional_parameters]
wallix_bastion_url = https://bastion.company.com
api_key = <encrypted_key>
timeout = 30
verify_ssl = true

Step 4: Create Dedicated Index (Recommended)

# indexes.conf
[wallix_bastion]
homePath = $SPLUNK_DB/wallix_bastion/db
coldPath = $SPLUNK_DB/wallix_bastion/colddb
thawedPath = $SPLUNK_DB/wallix_bastion/thaweddb
maxDataSize = auto_high_volume
frozenTimePeriodInSecs = 31536000
# 1 year retention

---

Usage Examples

Essential Searches

# Monitor all WALLIX Bastion activity
sourcetype="WB:syslog"

# Failed authentication attempts
sourcetype="WB:syslog" WB_Event="wabauth" WB_Status="failure"
| stats count by WB_User, WB_Client_Ip
| where count > 5

# Long-running sessions (over 4 hours)
sourcetype="WB:syslog" WB_Event="session_established"
| eval duration_sec=tonumber(WB_Duration)
| where duration_sec > 14400
| table _time WB_User WB_Target WB_Duration

# Privileged command execution
sourcetype="WB:syslog" WB_Event="command"
| search WB_Command IN ("sudo*", "su -*", "passwd*", "rm -rf*")
| table _time WB_User WB_Target WB_Command

Key Extracted Fields

Field	Description	Example Value
WB_Event	Event type identifier	wabauth, session_established, command
WB_User	Authenticated username	[email protected]
WB_Target	Target system FQDN/IP	prod-db-01.internal
WB_Session_Id	Unique session identifier	sess_1a2b3c4d5e
WB_Status	Operation status	success, failure
WB_Client_Ip	Source IP address	192.168.1.100
WB_Duration	Session duration (seconds)	3600
WB_Command	Executed command	/usr/bin/apt-get update
WB_Auth_Type	Authentication method	password, pubkey, mfa
WB_Disconnect_Reason	Session end reason	user_initiated, timeout, killed

---

Alert Configuration

Example: Suspicious Activity Alert

sourcetype="WB:syslog" WB_Event="command"
(WB_Command="*rm -rf /*" OR WB_Command="*dd if=/dev/zero*" OR WB_Command="*mkfs*")
| eval severity="CRITICAL"
| table _time WB_User WB_Target WB_Command WB_Session_Id severity

Alert Action: Configure Kill Session with:

• Session ID: $result.WB_Session_Id$
• Reason: Dangerous command detected: $result.WB_Command$

Example: Compliance Monitoring

sourcetype="WB:syslog" WB_Event="session_established"
| stats count by WB_User, WB_Target
| where count > 20
| eval alert_reason="Unusual access pattern detected"

---

Architecture

TA-WALLIX_Bastion/
├── app.manifest                 # Splunk app metadata
├── default/
│   ├── app.conf                # App configuration
│   ├── props.conf              # Field extraction & transforms
│   ├── transforms.conf         # Lookup definitions
│   ├── alert_actions.conf      # Custom alert actions
│   ├── restmap.conf            # REST endpoint configuration
│   └── data/ui/
│       ├── nav/                # Navigation definitions
│       └── views/              # Dashboard XML
├── bin/
│   ├── ta_wallix_bastion/
│   │   ├── modalert_kill_session_helper.py
│   │   ├── alert_actions_base.py
│   │   └── [libraries]/       # solnlib, requests, etc.
│   └── TA_WALLIX_Bastion_rh_settings.py
├── appserver/
│   ├── static/                 # CSS, JavaScript, images
│   └── templates/              # HTML templates (Jinja2)
├── metadata/                   # Permissions & navigation
└── static/                     # App icons

---

Troubleshooting

Logs Not Appearing

Check:

1. WALLIX syslog configuration: grep syslog /var/log/wallix/*
2. Network connectivity: telnet <splunk_ip> 514
3. Splunk input status: $SPLUNK_HOME/bin/splunk list inputstatus
4. Firewall rules on both sides

Verify:

index=_internal source=*splunkd.log* "listening on port 514"

Fields Not Extracting

Validate regex:

$SPLUNK_HOME/bin/splunk cmd btool props list --app=TA-WALLIX_Bastion --debug

Test extraction:

sourcetype="WB:syslog" | head 1 | extract reload=T

Kill Session Action Fails

Debug logs:

index=_internal source="*modalert_kill_session*" ERROR

Common causes:

• Invalid API key (check encryption)
• Network timeout (increase timeout value)
• Insufficient API permissions
• Session already terminated

API connectivity test:

curl -k -H "X-Auth-Key: YOUR_KEY" https://bastion.company.com/api/sessions

---

Development

Extending Functionality

Add Custom Fields

Edit default/props.conf:

[WB:syslog]
EXTRACT-custom_field = \scustom=\"(?P<WB_Custom_Field>[^\"]+)\"

Create New Alert Actions

1. Create script in bin/ta_wallix_bastion/modalert_custom_action_helper.py
2. Define action in default/alert_actions.conf
3. Add UI template in appserver/templates/custom_action.html

Testing

# Validate configuration
$SPLUNK_HOME/bin/splunk btool check --app=TA-WALLIX_Bastion

# Test field extractions
$SPLUNK_HOME/bin/splunk search 'sourcetype="WB:syslog" | head 1'

# Inspect Python dependencies
$SPLUNK_HOME/bin/splunk cmd python -m pip list

---

Changelog

Version 1.0.6 (Current)

• ✅ Full Python 3 compatibility
• ✅ Enhanced configuration UI with input validation
• ✅ Improved Kill Session action with retry logic
• ✅ Optimized field extraction performance
• ✅ Updated dependencies (solnlib, requests)

Previous Versions

See CHANGELOG.md for complete history.

---

Support & Resources

Official Documentation

• 📚 WALLIX Documentation

Splunk Resources

• 🌐 Splunk Answers
• 📖 Splunk Documentation
• 🛠️ Splunk Dev Portal

Get Help

• Email: [email protected]
• GitHub Issues: Report a bug
• Enterprise Support: Contact your WALLIX account manager

---

License

This add-on is proprietary software developed by WALLIX. See LICENSE for terms and conditions.

Contributing

We welcome feedback and contributions! Please review our Contributing Guidelines before submitting issues or pull requests.

---

Made with ❤️ by WALLIX

Website