diff --git a/docs/changetracker/8.0/integration/overview.md b/docs/changetracker/8.0/integration/overview.md index d77bbdd6fa..baec72fa7e 100644 --- a/docs/changetracker/8.0/integration/overview.md +++ b/docs/changetracker/8.0/integration/overview.md @@ -11,5 +11,5 @@ Netwrix Change Tracker supports the following integrations: - [Netwrix Products](/docs/changetracker/8.0/integration/netwrixproducts/overview.md) - [API](/docs/changetracker/8.0/integration/api/overview.md) - [IT Management Systems](/docs/changetracker/8.0/integration/itsm/overview.md) -- [Splunk](/docs/changetracker/8.0/integration/overview_1.md) -- [VMWare](/docs/changetracker/8.0/integration/overview_2.md) +- [Splunk](/docs/changetracker/8.0/integration/splunk.md) +- [VMware](/docs/changetracker/8.0/integration/vmware.md) diff --git a/docs/changetracker/8.0/integration/overview_1.md b/docs/changetracker/8.0/integration/splunk.md similarity index 55% rename from docs/changetracker/8.0/integration/overview_1.md rename to docs/changetracker/8.0/integration/splunk.md index 737a0744cc..813abf434a 100644 --- a/docs/changetracker/8.0/integration/overview_1.md +++ b/docs/changetracker/8.0/integration/splunk.md @@ -6,25 +6,22 @@ sidebar_position: 40 # Splunk -Splunk is used to store logs from devices, databases and applications. Capturing changes to device -configuration, from logs in Splunk, provides a form of agentless monitoring with the ability to -monitor devices that are not currently supported by Change Tracker. This means anything that can -reliably log it's configuration changes to Splunk can be monitored by Change Tracker, including -custom applications. +Splunk stores logs from devices, databases, and applications. Capturing changes to device +configuration, from logs in Splunk, provides a form of agentless monitoring that can monitor +devices Change Tracker doesn't support. This means Change Tracker can monitor anything that can +reliably log its configuration changes to Splunk, including custom applications. -A fully customizable Search Processing Language (SPL) query, executed via the Splunk API, will -return specific logs that are converted to change events in Change Tracker. From this point on, -these change events will behave as if they were produced by a traditional agent. +A fully customizable Search Processing Language (SPL) query, executed via the Splunk API, returns +specific logs that Change Tracker converts to change events. From this point on, these change +events behave as if a traditional agent produced them. -Permissions required for the Splunk can be found in the Authentication and Authorization section of +You can find the permissions required for Splunk in the Authentication and Authorization section of the Splunk Documentation page. See Splunk's [REST API User Manual](https://docs.splunk.com/Documentation/Splunk/9.3.2/RESTUM/RESTusing#rest-api-user-manual) article for additional information on permissions. ## Configure Credentials -Follow the steps to configure Splunk credentials. - **Step 1 –** From the Settings menu select **Credentials** and scroll to the Splunk Credentials section. @@ -34,19 +31,19 @@ section. **Step 3 –** Click **Update**. -The Splunk credentials are updated. +Change Tracker updates the Splunk credentials. ## Policy Templates -Policy templates are used to configure what to monitor on the target devices. For Splunk a policy -template that defines an SPL query is required. Splunk's SPL query language is similar to SQL in -that it is very flexible when defining the data to query, how to filter it and what transformations -are required like column aliases. +Use policy templates to configure what to monitor on the target devices. Splunk requires a policy +template that defines an SPL query. Splunk's SPL query language is similar to SQL: it's flexible in +defining the data to query, how to filter it, and what transformations to apply, such as column +aliases. ### Create an SPL Query :::info -It is recommended to develop and test the SPL query in Splunk's Search page. +Develop and test the SPL query in Splunk's Search page. ::: @@ -57,17 +54,17 @@ The query must return fields with the following aliases: - eventdate - eventinfo -The value in the eventdate field must be formatted as YYYY-mm-ddTHH:MM:SS. The strftime function can -be used to format date time fields accordingly: strftime(MyDateTimeField,"%Y-%m-%dT%H:%M:%S.%Q"). +Format the value in the eventdate field as YYYY-mm-ddTHH:MM:SS. Use the strftime function to format +date-time fields accordingly: strftime(MyDateTimeField,"%Y-%m-%dT%H:%M:%S.%Q"). -Any further fields added will be included in the body of the events when the reach Change Tracker. -Sourcetype is an example of such a field in the test query below. +Any further fields added appear in the body of the events when they reach Change Tracker. +Sourcetype is an example of such a field in the following test query. ![splunksearch](/images/changetracker/8.0/integration/splunk/splunksearch.webp) -Below is the test query used in this document. This query pulls internal Splunk data that any +This document uses the following test query. This query pulls internal Splunk data that any instance will have while meeting Change Tracker's requirements. The "head 50" clause at the end of -the statement ensures that only 50 rows are returned. +the statement ensures that the query returns only 50 rows. ``` search index=_internal event_message != ""  | rename host as device | eval  whomadethechange = "test-user" | eval eventdate=strftime(_time,"%Y-%m-%dT%H:%M:%S.%Q")  | rename event_message as eventinfo | table device whomadethechange eventinfo eventdate sourcetype | head 50 @@ -75,8 +72,6 @@ search index=_internal event_message != ""  | rename host as device | eval   ### Create the Policy Template -Follow the steps to create a policy template. - **Step 1 –** From the Settings menu, select **Policy Templates**. **Step 2 –** Click **Actions** and **Add a Blank Policy Template**. @@ -96,10 +91,10 @@ Splunk Search Queries tab. ![splqueryconfiguration](/images/changetracker/8.0/integration/splunk/splqueryconfiguration.webp) -Paste the query, give it a description and click Update. The query will now be listed in the policy. +Paste the query, give it a description, and click Update. The query now appears in the policy. :::note -Ensure the desired polling frequency is set. +Set the polling frequency you want. ::: @@ -107,8 +102,6 @@ Ensure the desired polling frequency is set. ### Devices and Groups -Follow the steps to add a group. - **Step 1 –** From the Settings menu, select **Groups** and click **Add** to add a new group called Splunk Tracker. @@ -119,20 +112,18 @@ and click **Add an Existing Template**. ![group2](/images/changetracker/8.0/integration/splunk/group2.webp) -Any device in this group of the type Splunk will execute the Splunk tracking policy created above. +Any device of the type Splunk in this group will execute the Splunk tracking policy created earlier. ![group](/images/changetracker/8.0/integration/splunk/group.webp) -**Step 4 –** Ensure the Splunk Tracker group is selected and click **Add** to add a sub group to the -Splunk Tracker group named Splunk devices. This group will hold the proxied devices that Splunk -events will be matched to. +**Step 4 –** Select the Splunk Tracker group and click **Add** to add a sub group to the +Splunk Tracker group named Splunk devices. This group holds the proxied devices that Change Tracker +matches Splunk events to. ### Devices -To direct the SPL query in the Splunk tracking policy to the target instance of Splunk, a proxied -device must be created with the connection details. - -Follow the steps to manually create a proxied device to represent the target instance of Splunk. +To direct the SPL query in the Splunk tracking policy to the target instance of Splunk, you must +create a proxied device with the connection details. ![manualdevicecreation](/images/changetracker/8.0/integration/splunk/manualdevicecreation.webp) @@ -154,15 +145,15 @@ instance. :::note Change events coming into Change Tracker (from Splunk or any agentless monitoring) must -match a device in Change Tracker. Events without a matching device will be ignored +match a device in Change Tracker. Change Tracker ignores events without a matching device ::: This isn't a problem with agent based monitoring as the agent registers it's device on first contact -with the Hub. All types of agentless monitoring require devices to be created in Change Tracker. +with the Hub. All types of agentless monitoring require you to create devices in Change Tracker. -Devices can be created manually or via device discovery. Device discovery is only available when the -Sync Service is configured to integrate with ServiceNow. Both will result in proxied devices +You can create devices manually or via device discovery. Device discovery is only available when you +configure the Sync Service to integrate with ServiceNow. Both will result in proxied devices registered to a proxy device with an agent. To discover devices to match change events from Splunk, see the @@ -172,30 +163,30 @@ section in topic for additional information. To manually create proxied devices, select a device to be a proxy device (the Hub's agent is often a -good choice here) and click Add Proxied Device. Ensure the new devices are added to the Splunk +good choice here) and click Add Proxied Device. Add the new devices to the Splunk Devices group. -If the logs collected are from a custom application it may be desirable to treat the application as -a device in Change Tracker instead of it's individual servers. This way change events would belong -to the application and not to individual servers. This could be done by manually creating a proxied -device named after the application and then ensuring the SPL query uses the same application name -for it's Device column. +If the logs collected are from a custom application, you may want to treat the application as +a device in Change Tracker instead of its individual servers. This way change events would belong +to the application and not to individual servers. To do this, manually create a proxied +device named after the application, then ensure the SPL query uses the same application name +for its Device column. ## Events -If everything has been configured correctly and communication with the Splunk instance is possible, +If you've configured everything correctly and communication with the Splunk instance is possible, Splunk logs should start arriving as events. ![splunkevents](/images/changetracker/8.0/integration/splunk/splunkevents.webp) -In the body of a Splunk event it's possible to see the required firled from the SPL query. Any field -in the results other than the required fields is added to the additional info section at the bottom -of the event body. This flexible field can list multiple non required fields from the SPL query. -This enables full control of what is logged into the events. +The body of a Splunk event shows the required fields from the SPL query. Change Tracker adds any +field in the results other than the required fields to the additional info section at the bottom +of the event body. This flexible field can list multiple non-required fields from the SPL query. +This gives you full control over what Change Tracker logs into the events. ![splunkeventbody](/images/changetracker/8.0/integration/splunk/splunkeventbody.webp) -Manual runs of the tracking policy can be executed from the Splunk device by clicking Start Tracker +You can run the tracking policy manually from the Splunk device by clicking Start Tracker Poll. ![starttrackerpoll](/images/changetracker/8.0/integration/splunk/starttrackerpoll.webp) diff --git a/docs/changetracker/8.0/integration/overview_2.md b/docs/changetracker/8.0/integration/vmware.md similarity index 51% rename from docs/changetracker/8.0/integration/overview_2.md rename to docs/changetracker/8.0/integration/vmware.md index 23ebec36d4..dd98c5cc96 100644 --- a/docs/changetracker/8.0/integration/overview_2.md +++ b/docs/changetracker/8.0/integration/vmware.md @@ -1,31 +1,31 @@ --- -title: "VMWare" -description: "VMWare" +title: "VMware" +description: "VMware" sidebar_position: 50 --- -# VMWare +# VMware -vSphere is VMWare's virtualization platform. Change Tracker includes CIS certified compliance +vSphere is VMware's virtualization platform. Change Tracker includes CIS certified compliance tracking templates to ensure secure configuration of vSphere clusters and their ESXi nodes. ## vSphere/ESXi -Compliance reports for vSphere clusters and their ESXi nodes are executed in an agentless manor with -the use of a proxy agent that has vSphere clusters (or individual ESXi servers) configured as +Change Tracker executes compliance reports for vSphere clusters and their ESXi nodes in an agentless +manner, using a proxy agent that has vSphere clusters (or individual ESXi servers) configured as proxied devices. ## Requirements for the Proxy Agent's Device - .NET 6 - PowerShell 7 -- PowerShell Module VMWare.PowerCLI +- PowerShell Module VMware.PowerCLI - Gen 7 Agent ## Installation -After installing .NET 6 and the Gen 7 Agent, following the instructions below will ensure the proxy -agent's device is able to communicate with vSphere and ESXi devices. +After you install .NET 6 and the Gen 7 Agent, follow these instructions to ensure the proxy +agent's device can communicate with vSphere and ESXi devices. Open a PowerShell console as Administrator to run the following command: @@ -35,7 +35,7 @@ Check installation with: Get-PowerCLIVersion -If self-signed certificates are in use with vCenter, the following command will ignore the errors +If vCenter uses self-signed certificates, the following command ignores the errors this usually raises: Set-PowerCLIConfiguration -InvalidCertificateAction:Ignore -Scope AllUsers @@ -46,28 +46,26 @@ Set-PowerCLIConfiguration -Scope AllUsers -ParticipateInCEIP $false ## Configuration -Follow the steps to configure ESXi/vCenter credentials: - **Step 1 –** From the Settings menu, select Credentials and scroll down to the ESXi / vCenter Credentials section. ![esxicredentials](/images/changetracker/8.0/integration/vmware/esxicredentials.webp) **Step 2 –** Click the Add button and enter the credential information. For vCenter / ESXi -monitoring, it is recommended to use vCenter as the Host Type as it allows for ESXi node discovery, -The ESXi Host Type option enables connections to stand alone ESXi servers. +monitoring, use vCenter as the Host Type because it allows for ESXi node discovery. The ESXi Host +Type option enables connections to standalone ESXi servers. ![esxicredentialform](/images/changetracker/8.0/integration/vmware/esxicredentialform.webp) ## Device Discovery -A vSphere cluster is made up of ESXi nodes. In the past, each ESXi node had to be manually added as -a proxied device. It is now possible to add the vSphere service as a proxied device and -automatically discover all of it's ESXi nodes and add them as proxied devices. This allows for -faster configuration and the ability to keep up with fast changing environments where ESXi nodes are -frequently created, removed or even migrated between clusters. +A vSphere cluster consists of ESXi nodes. In the past, you had to add each ESXi node manually as +a proxied device. You can now add the vSphere service as a proxied device and automatically +discover all its ESXi nodes and add them as proxied devices. This speeds up configuration and helps +you keep up with fast-changing environments where ESXi nodes are frequently created, removed, or +migrated between clusters. -From the Settings menu, select Device Discovery. Select ESXi / vCenter Discovery from the drop down +From the Settings menu, select Device Discovery. Select ESXi / vCenter Discovery from the dropdown to configure the discovery job. ![devicediscoverygrid](/images/changetracker/8.0/integration/vmware/devicediscoverygrid.webp) @@ -75,17 +73,17 @@ to configure the discovery job. Discovery Device is the device running the agent that will execute the commands to discover the ESXi nodes. -Parent Device in Hub is the proxy device that the proxied devices (that represents the ESXi nodes) -will be registered under. Usually Discovery Device and Parent Device in Hub use the same agent, but -different discovery jobs executed by different proxy agents could be configured to register all of +Parent Device in Hub is the proxy device under which Change Tracker registers the proxied devices +that represent the ESXi nodes. Usually Discovery Device and Parent Device in Hub use the same agent, +but you can configure different discovery jobs, executed by different proxy agents, to register all their discovered nodes under one proxy agent. -The "Assign to Group" drop down is the group the discovered ESXi nodes will be assigned to. There is -no automatic registration so a group must be chosen. +The "Assign to Group" dropdown is the group you assign the discovered ESXi nodes to. There is +no automatic registration, so you must choose a group. ![devicediscoveryform](/images/changetracker/8.0/integration/vmware/devicediscoveryform.webp) -Once configured a discovery job will automatically run and if successful, the devices will be +Once configured, a discovery job will automatically run, and if it succeeds, the devices will be visible in the grid. ![devicediscoverystarted](/images/changetracker/8.0/integration/vmware/devicediscoverystarted.webp) @@ -96,7 +94,7 @@ visible in the grid. ## Compliance Reporting -Under the Reports tab, it is now possible to configure and run the appropriate compliance report +Under the Reports tab, you can now configure and run the appropriate compliance report against the group that contains the ESXi devices. ![esxicompliancereport](/images/changetracker/8.0/integration/vmware/esxicompliancereport.webp) diff --git a/docs/changetracker/8.1/integration/overview.md b/docs/changetracker/8.1/integration/overview.md index d5417dbbc2..bf59c7a354 100644 --- a/docs/changetracker/8.1/integration/overview.md +++ b/docs/changetracker/8.1/integration/overview.md @@ -11,5 +11,5 @@ Netwrix Change Tracker supports the following integrations: - [Netwrix Products](/docs/changetracker/8.1/integration/netwrixproducts/overview.md) - [API](/docs/changetracker/8.1/api/overview.md) - [IT Service Management](/docs/changetracker/8.1/integration/itsm/overview.md) -- [Splunk](/docs/changetracker/8.1/integration/overview_1.md) -- [VMWare](/docs/changetracker/8.1/integration/overview_2.md) +- [Splunk](/docs/changetracker/8.1/integration/splunk.md) +- [VMware](/docs/changetracker/8.1/integration/vmware.md) diff --git a/docs/changetracker/8.1/integration/overview_1.md b/docs/changetracker/8.1/integration/splunk.md similarity index 55% rename from docs/changetracker/8.1/integration/overview_1.md rename to docs/changetracker/8.1/integration/splunk.md index 9e5a1ed70d..a0809bae30 100644 --- a/docs/changetracker/8.1/integration/overview_1.md +++ b/docs/changetracker/8.1/integration/splunk.md @@ -6,25 +6,22 @@ sidebar_position: 40 # Splunk -Splunk is used to store logs from devices, databases and applications. Capturing changes to device -configuration, from logs in Splunk, provides a form of agentless monitoring with the ability to -monitor devices that are not currently supported by Change Tracker. This means anything that can -reliably log it's configuration changes to Splunk can be monitored by Change Tracker, including -custom applications. +Splunk stores logs from devices, databases, and applications. Capturing changes to device +configuration, from logs in Splunk, provides a form of agentless monitoring that can monitor +devices Change Tracker doesn't support. This means Change Tracker can monitor anything that can +reliably log its configuration changes to Splunk, including custom applications. -A fully customizable Search Processing Language (SPL) query, executed via the Splunk API, will -return specific logs that are converted to change events in Change Tracker. From this point on, -these change events will behave as if they were produced by a traditional agent. +A fully customizable Search Processing Language (SPL) query, executed via the Splunk API, returns +specific logs that Change Tracker converts to change events. From this point on, these change +events behave as if a traditional agent produced them. -Permissions required for the Splunk can be found in the Authentication and Authorization section of +You can find the permissions required for Splunk in the Authentication and Authorization section of the Splunk Documentation page. See Splunk's [REST API User Manual](https://docs.splunk.com/Documentation/Splunk/9.3.2/RESTUM/RESTusing#rest-api-user-manual) article for additional information on permissions. ## Configure Credentials -Follow the steps to configure Splunk credentials. - **Step 1 –** From the Settings menu select **Credentials** and scroll to the Splunk Credentials section. @@ -34,19 +31,19 @@ section. **Step 3 –** Click **Update**. -The Splunk credentials are updated. +Change Tracker updates the Splunk credentials. ## Policy Templates -Policy templates are used to configure what to monitor on the target devices. For Splunk a policy -template that defines an SPL query is required. Splunk's SPL query language is similar to SQL in -that it is very flexible when defining the data to query, how to filter it and what transformations -are required like column aliases. +Use policy templates to configure what to monitor on the target devices. Splunk requires a policy +template that defines an SPL query. Splunk's SPL query language is similar to SQL: it's flexible in +defining the data to query, how to filter it, and what transformations to apply, such as column +aliases. ### Create an SPL Query :::info -It is recommended to develop and test the SPL query in Splunk's Search page. +Develop and test the SPL query in Splunk's Search page. ::: @@ -57,17 +54,17 @@ The query must return fields with the following aliases: - eventdate - eventinfo -The value in the eventdate field must be formatted as YYYY-mm-ddTHH:MM:SS. The strftime function can -be used to format date time fields accordingly: strftime(MyDateTimeField,"%Y-%m-%dT%H:%M:%S.%Q"). +Format the value in the eventdate field as YYYY-mm-ddTHH:MM:SS. Use the strftime function to format +date-time fields accordingly: strftime(MyDateTimeField,"%Y-%m-%dT%H:%M:%S.%Q"). -Any further fields added will be included in the body of the events when the reach Change Tracker. -Sourcetype is an example of such a field in the test query below. +Any further fields added appear in the body of the events when they reach Change Tracker. +Sourcetype is an example of such a field in the following test query. ![splunksearch](/images/changetracker/8.1/integration/splunk/splunksearch.webp) -Below is the test query used in this document. This query pulls internal Splunk data that any +This document uses the following test query. This query pulls internal Splunk data that any instance will have while meeting Change Tracker's requirements. The "head 50" clause at the end of -the statement ensures that only 50 rows are returned. +the statement ensures that the query returns only 50 rows. ``` search index=_internal event_message != ""  | rename host as device | eval  whomadethechange = "test-user" | eval eventdate=strftime(_time,"%Y-%m-%dT%H:%M:%S.%Q")  | rename event_message as eventinfo | table device whomadethechange eventinfo eventdate sourcetype | head 50 @@ -75,8 +72,6 @@ search index=_internal event_message != ""  | rename host as device | eval   ### Create the Policy Template -Follow the steps to create a policy template. - **Step 1 –** From the Settings menu, select **Policy Templates**. **Step 2 –** Click **Actions** and **Add a Blank Policy Template**. @@ -96,10 +91,10 @@ Splunk Search Queries tab. ![splqueryconfiguration](/images/changetracker/8.1/integration/splunk/splqueryconfiguration.webp) -Paste the query, give it a description and click Update. The query will now be listed in the policy. +Paste the query, give it a description, and click Update. The query now appears in the policy. :::note -Ensure the desired polling frequency is set. +Set the polling frequency you want. ::: @@ -107,8 +102,6 @@ Ensure the desired polling frequency is set. ### Devices and Groups -Follow the steps to add a group. - **Step 1 –** From the Settings menu, select **Groups** and click **Add** to add a new group called Splunk Tracker. @@ -119,20 +112,18 @@ and click **Add an Existing Template**. ![group2](/images/changetracker/8.1/integration/splunk/group2.webp) -Any device in this group of the type Splunk will execute the Splunk tracking policy created above. +Any device of the type Splunk in this group will execute the Splunk tracking policy created earlier. ![group](/images/changetracker/8.1/integration/splunk/group.webp) -**Step 4 –** Ensure the Splunk Tracker group is selected and click **Add** to add a sub group to the -Splunk Tracker group named Splunk devices. This group will hold the proxied devices that Splunk -events will be matched to. +**Step 4 –** Select the Splunk Tracker group and click **Add** to add a sub group to the +Splunk Tracker group named Splunk devices. This group holds the proxied devices that Change Tracker +matches Splunk events to. ### Devices -To direct the SPL query in the Splunk tracking policy to the target instance of Splunk, a proxied -device must be created with the connection details. - -Follow the steps to manually create a proxied device to represent the target instance of Splunk. +To direct the SPL query in the Splunk tracking policy to the target instance of Splunk, you must +create a proxied device with the connection details. ![manualdevicecreation](/images/changetracker/8.1/integration/splunk/manualdevicecreation.webp) @@ -154,15 +145,15 @@ instance. :::note Change events coming into Change Tracker (from Splunk or any agentless monitoring) must -match a device in Change Tracker. Events without a matching device will be ignored +match a device in Change Tracker. Change Tracker ignores events without a matching device ::: This isn't a problem with agent based monitoring as the agent registers it's device on first contact -with the Hub. All types of agentless monitoring require devices to be created in Change Tracker. +with the Hub. All types of agentless monitoring require you to create devices in Change Tracker. -Devices can be created manually or via device discovery. Device discovery is only available when the -Sync Service is configured to integrate with ServiceNow. Both will result in proxied devices +You can create devices manually or via device discovery. Device discovery is only available when you +configure the Sync Service to integrate with ServiceNow. Both will result in proxied devices registered to a proxy device with an agent. To discover devices to match change events from Splunk, see the @@ -170,30 +161,30 @@ To discover devices to match change events from Splunk, see the [Sync Service Administration](/docs/changetracker/8.1/integration/itsm/syncserviceadmin.md) topic for additional information. To manually create proxied devices, select a device to be a proxy device (the Hub's agent is often a -good choice here) and click Add Proxied Device. Ensure the new devices are added to the Splunk +good choice here) and click Add Proxied Device. Add the new devices to the Splunk Devices group. -If the logs collected are from a custom application it may be desirable to treat the application as -a device in Change Tracker instead of it's individual servers. This way change events would belong -to the application and not to individual servers. This could be done by manually creating a proxied -device named after the application and then ensuring the SPL query uses the same application name -for it's Device column. +If the logs collected are from a custom application, you may want to treat the application as +a device in Change Tracker instead of its individual servers. This way change events would belong +to the application and not to individual servers. To do this, manually create a proxied +device named after the application, then ensure the SPL query uses the same application name +for its Device column. ## Events -If everything has been configured correctly and communication with the Splunk instance is possible, +If you've configured everything correctly and communication with the Splunk instance is possible, Splunk logs should start arriving as events. ![splunkevents](/images/changetracker/8.1/integration/splunk/splunkevents.webp) -In the body of a Splunk event it's possible to see the required firled from the SPL query. Any field -in the results other than the required fields is added to the additional info section at the bottom -of the event body. This flexible field can list multiple non required fields from the SPL query. -This enables full control of what is logged into the events. +The body of a Splunk event shows the required fields from the SPL query. Change Tracker adds any +field in the results other than the required fields to the additional info section at the bottom +of the event body. This flexible field can list multiple non-required fields from the SPL query. +This gives you full control over what Change Tracker logs into the events. ![splunkeventbody](/images/changetracker/8.1/integration/splunk/splunkeventbody.webp) -Manual runs of the tracking policy can be executed from the Splunk device by clicking Start Tracker +You can run the tracking policy manually from the Splunk device by clicking Start Tracker Poll. ![starttrackerpoll](/images/changetracker/8.1/integration/splunk/starttrackerpoll.webp) diff --git a/docs/changetracker/8.1/integration/overview_2.md b/docs/changetracker/8.1/integration/vmware.md similarity index 51% rename from docs/changetracker/8.1/integration/overview_2.md rename to docs/changetracker/8.1/integration/vmware.md index 8c5ca7260a..0ede1a0b47 100644 --- a/docs/changetracker/8.1/integration/overview_2.md +++ b/docs/changetracker/8.1/integration/vmware.md @@ -1,31 +1,31 @@ --- -title: "VMWare" -description: "VMWare" +title: "VMware" +description: "VMware" sidebar_position: 50 --- -# VMWare +# VMware -vSphere is VMWare's virtualization platform. Change Tracker includes CIS certified compliance +vSphere is VMware's virtualization platform. Change Tracker includes CIS certified compliance tracking templates to ensure secure configuration of vSphere clusters and their ESXi nodes. ## vSphere/ESXi -Compliance reports for vSphere clusters and their ESXi nodes are executed in an agentless manor with -the use of a proxy agent that has vSphere clusters (or individual ESXi servers) configured as +Change Tracker executes compliance reports for vSphere clusters and their ESXi nodes in an agentless +manner, using a proxy agent that has vSphere clusters (or individual ESXi servers) configured as proxied devices. ## Requirements for the Proxy Agent's Device - .NET 6 - PowerShell 7 -- PowerShell Module VMWare.PowerCLI +- PowerShell Module VMware.PowerCLI - Gen 7 Agent ## Installation -After installing .NET 6 and the Gen 7 Agent, following the instructions below will ensure the proxy -agent's device is able to communicate with vSphere and ESXi devices. +After you install .NET 6 and the Gen 7 Agent, follow these instructions to ensure the proxy +agent's device can communicate with vSphere and ESXi devices. Open a PowerShell console as Administrator to run the following command: @@ -35,7 +35,7 @@ Check installation with: Get-PowerCLIVersion -If self-signed certificates are in use with vCenter, the following command will ignore the errors +If vCenter uses self-signed certificates, the following command ignores the errors this usually raises: Set-PowerCLIConfiguration -InvalidCertificateAction:Ignore -Scope AllUsers @@ -46,28 +46,26 @@ Set-PowerCLIConfiguration -Scope AllUsers -ParticipateInCEIP $false ## Configuration -Follow the steps to configure ESXi/vCenter credentials: - **Step 1 –** From the Settings menu, select Credentials and scroll down to the ESXi / vCenter Credentials section. ![esxicredentials](/images/changetracker/8.1/integration/vmware/esxicredentials.webp) **Step 2 –** Click the Add button and enter the credential information. For vCenter / ESXi -monitoring, it is recommended to use vCenter as the Host Type as it allows for ESXi node discovery, -The ESXi Host Type option enables connections to stand alone ESXi servers. +monitoring, use vCenter as the Host Type because it allows for ESXi node discovery. The ESXi Host +Type option enables connections to standalone ESXi servers. ![esxicredentialform](/images/changetracker/8.1/integration/vmware/esxicredentialform.webp) ## Device Discovery -A vSphere cluster is made up of ESXi nodes. In the past, each ESXi node had to be manually added as -a proxied device. It is now possible to add the vSphere service as a proxied device and -automatically discover all of it's ESXi nodes and add them as proxied devices. This allows for -faster configuration and the ability to keep up with fast changing environments where ESXi nodes are -frequently created, removed or even migrated between clusters. +A vSphere cluster consists of ESXi nodes. In the past, you had to add each ESXi node manually as +a proxied device. You can now add the vSphere service as a proxied device and automatically +discover all its ESXi nodes and add them as proxied devices. This speeds up configuration and helps +you keep up with fast-changing environments where ESXi nodes are frequently created, removed, or +migrated between clusters. -From the Settings menu, select Device Discovery. Select ESXi / vCenter Discovery from the drop down +From the Settings menu, select Device Discovery. Select ESXi / vCenter Discovery from the dropdown to configure the discovery job. ![devicediscoverygrid](/images/changetracker/8.1/integration/vmware/devicediscoverygrid.webp) @@ -75,17 +73,17 @@ to configure the discovery job. Discovery Device is the device running the agent that will execute the commands to discover the ESXi nodes. -Parent Device in Hub is the proxy device that the proxied devices (that represents the ESXi nodes) -will be registered under. Usually Discovery Device and Parent Device in Hub use the same agent, but -different discovery jobs executed by different proxy agents could be configured to register all of +Parent Device in Hub is the proxy device under which Change Tracker registers the proxied devices +that represent the ESXi nodes. Usually Discovery Device and Parent Device in Hub use the same agent, +but you can configure different discovery jobs, executed by different proxy agents, to register all their discovered nodes under one proxy agent. -The "Assign to Group" drop down is the group the discovered ESXi nodes will be assigned to. There is -no automatic registration so a group must be chosen. +The "Assign to Group" dropdown is the group you assign the discovered ESXi nodes to. There is +no automatic registration, so you must choose a group. ![devicediscoveryform](/images/changetracker/8.1/integration/vmware/devicediscoveryform.webp) -Once configured a discovery job will automatically run and if successful, the devices will be +Once configured, a discovery job will automatically run, and if it succeeds, the devices will be visible in the grid. ![devicediscoverystarted](/images/changetracker/8.1/integration/vmware/devicediscoverystarted.webp) @@ -96,7 +94,7 @@ visible in the grid. ## Compliance Reporting -Under the Reports tab, it is now possible to configure and run the appropriate compliance report +Under the Reports tab, you can now configure and run the appropriate compliance report against the group that contains the ESXi devices. ![esxicompliancereport](/images/changetracker/8.1/integration/vmware/esxicompliancereport.webp) diff --git a/docs/changetracker/8.2/integration/overview.md b/docs/changetracker/8.2/integration/overview.md index b64d428077..233d09d166 100644 --- a/docs/changetracker/8.2/integration/overview.md +++ b/docs/changetracker/8.2/integration/overview.md @@ -11,5 +11,5 @@ Netwrix Change Tracker supports the following integrations: - [Netwrix Products](/docs/changetracker/8.2/integration/netwrixproducts/overview.md) - [API](/docs/changetracker/8.2/api/overview.md) - [IT Service Management](/docs/changetracker/8.2/integration/itsm/overview.md) -- [Splunk](/docs/changetracker/8.2/integration/overview_1.md) -- [VMWare](/docs/changetracker/8.2/integration/overview_2.md) +- [Splunk](/docs/changetracker/8.2/integration/splunk.md) +- [VMware](/docs/changetracker/8.2/integration/vmware.md) diff --git a/docs/changetracker/8.2/integration/overview_1.md b/docs/changetracker/8.2/integration/splunk.md similarity index 55% rename from docs/changetracker/8.2/integration/overview_1.md rename to docs/changetracker/8.2/integration/splunk.md index 951d256861..ef799e5787 100644 --- a/docs/changetracker/8.2/integration/overview_1.md +++ b/docs/changetracker/8.2/integration/splunk.md @@ -6,25 +6,22 @@ sidebar_position: 40 # Splunk -Splunk is used to store logs from devices, databases and applications. Capturing changes to device -configuration, from logs in Splunk, provides a form of agentless monitoring with the ability to -monitor devices that are not currently supported by Change Tracker. This means anything that can -reliably log it's configuration changes to Splunk can be monitored by Change Tracker, including -custom applications. +Splunk stores logs from devices, databases, and applications. Capturing changes to device +configuration, from logs in Splunk, provides a form of agentless monitoring that can monitor +devices Change Tracker doesn't support. This means Change Tracker can monitor anything that can +reliably log its configuration changes to Splunk, including custom applications. -A fully customizable Search Processing Language (SPL) query, executed via the Splunk API, will -return specific logs that are converted to change events in Change Tracker. From this point on, -these change events will behave as if they were produced by a traditional agent. +A fully customizable Search Processing Language (SPL) query, executed via the Splunk API, returns +specific logs that Change Tracker converts to change events. From this point on, these change +events behave as if a traditional agent produced them. -Permissions required for the Splunk can be found in the Authentication and Authorization section of +You can find the permissions required for Splunk in the Authentication and Authorization section of the Splunk Documentation page. See Splunk's [REST API User Manual](https://docs.splunk.com/Documentation/Splunk/9.3.2/RESTUM/RESTusing#rest-api-user-manual) article for additional information on permissions. ## Configure Credentials -Follow the steps to configure Splunk credentials. - **Step 1 –** From the Settings menu select **Credentials** and scroll to the Splunk Credentials section. @@ -34,19 +31,19 @@ section. **Step 3 –** Click **Update**. -The Splunk credentials are updated. +Change Tracker updates the Splunk credentials. ## Policy Templates -Policy templates are used to configure what to monitor on the target devices. For Splunk a policy -template that defines an SPL query is required. Splunk's SPL query language is similar to SQL in -that it is very flexible when defining the data to query, how to filter it and what transformations -are required like column aliases. +Use policy templates to configure what to monitor on the target devices. Splunk requires a policy +template that defines an SPL query. Splunk's SPL query language is similar to SQL: it's flexible in +defining the data to query, how to filter it, and what transformations to apply, such as column +aliases. ### Create an SPL Query :::info -It is recommended to develop and test the SPL query in Splunk's Search page. +Develop and test the SPL query in Splunk's Search page. ::: @@ -57,17 +54,17 @@ The query must return fields with the following aliases: - eventdate - eventinfo -The value in the eventdate field must be formatted as YYYY-mm-ddTHH:MM:SS. The strftime function can -be used to format date time fields accordingly: strftime(MyDateTimeField,"%Y-%m-%dT%H:%M:%S.%Q"). +Format the value in the eventdate field as YYYY-mm-ddTHH:MM:SS. Use the strftime function to format +date-time fields accordingly: strftime(MyDateTimeField,"%Y-%m-%dT%H:%M:%S.%Q"). -Any further fields added will be included in the body of the events when the reach Change Tracker. -Sourcetype is an example of such a field in the test query below. +Any further fields added appear in the body of the events when they reach Change Tracker. +Sourcetype is an example of such a field in the following test query. ![splunksearch](/images/changetracker/8.2/integration/splunk/splunksearch.webp) -Below is the test query used in this document. This query pulls internal Splunk data that any +This document uses the following test query. This query pulls internal Splunk data that any instance will have while meeting Change Tracker's requirements. The "head 50" clause at the end of -the statement ensures that only 50 rows are returned. +the statement ensures that the query returns only 50 rows. ``` search index=_internal event_message != ""  | rename host as device | eval  whomadethechange = "test-user" | eval eventdate=strftime(_time,"%Y-%m-%dT%H:%M:%S.%Q")  | rename event_message as eventinfo | table device whomadethechange eventinfo eventdate sourcetype | head 50 @@ -75,8 +72,6 @@ search index=_internal event_message != ""  | rename host as device | eval   ### Create the Policy Template -Follow the steps to create a policy template. - **Step 1 –** From the Settings menu, select **Policy Templates**. **Step 2 –** Click **Actions** and **Add a Blank Policy Template**. @@ -96,10 +91,10 @@ Splunk Search Queries tab. ![splqueryconfiguration](/images/changetracker/8.2/integration/splunk/splqueryconfiguration.webp) -Paste the query, give it a description and click Update. The query will now be listed in the policy. +Paste the query, give it a description, and click Update. The query now appears in the policy. :::note -Ensure the desired polling frequency is set. +Set the polling frequency you want. ::: @@ -107,8 +102,6 @@ Ensure the desired polling frequency is set. ### Devices and Groups -Follow the steps to add a group. - **Step 1 –** From the Settings menu, select **Groups** and click **Add** to add a new group called Splunk Tracker. @@ -119,20 +112,18 @@ and click **Add an Existing Template**. ![group2](/images/changetracker/8.2/integration/splunk/group2.webp) -Any device in this group of the type Splunk will execute the Splunk tracking policy created above. +Any device of the type Splunk in this group will execute the Splunk tracking policy created earlier. ![group](/images/changetracker/8.2/integration/splunk/group.webp) -**Step 4 –** Ensure the Splunk Tracker group is selected and click **Add** to add a sub group to the -Splunk Tracker group named Splunk devices. This group will hold the proxied devices that Splunk -events will be matched to. +**Step 4 –** Select the Splunk Tracker group and click **Add** to add a sub group to the +Splunk Tracker group named Splunk devices. This group holds the proxied devices that Change Tracker +matches Splunk events to. ### Devices -To direct the SPL query in the Splunk tracking policy to the target instance of Splunk, a proxied -device must be created with the connection details. - -Follow the steps to manually create a proxied device to represent the target instance of Splunk. +To direct the SPL query in the Splunk tracking policy to the target instance of Splunk, you must +create a proxied device with the connection details. ![manualdevicecreation](/images/changetracker/8.2/integration/splunk/manualdevicecreation.webp) @@ -154,15 +145,15 @@ instance. :::note Change events coming into Change Tracker (from Splunk or any agentless monitoring) must -match a device in Change Tracker. Events without a matching device will be ignored +match a device in Change Tracker. Change Tracker ignores events without a matching device ::: This isn't a problem with agent based monitoring as the agent registers it's device on first contact -with the Hub. All types of agentless monitoring require devices to be created in Change Tracker. +with the Hub. All types of agentless monitoring require you to create devices in Change Tracker. -Devices can be created manually or via device discovery. Device discovery is only available when the -Sync Service is configured to integrate with ServiceNow. Both will result in proxied devices +You can create devices manually or via device discovery. Device discovery is only available when you +configure the Sync Service to integrate with ServiceNow. Both will result in proxied devices registered to a proxy device with an agent. To discover devices to match change events from Splunk, see the @@ -170,30 +161,30 @@ To discover devices to match change events from Splunk, see the [Sync Service Administration](/docs/changetracker/8.2/integration/itsm/syncserviceadmin.md) topic for additional information. To manually create proxied devices, select a device to be a proxy device (the Hub's agent is often a -good choice here) and click Add Proxied Device. Ensure the new devices are added to the Splunk +good choice here) and click Add Proxied Device. Add the new devices to the Splunk Devices group. -If the logs collected are from a custom application it may be desirable to treat the application as -a device in Change Tracker instead of it's individual servers. This way change events would belong -to the application and not to individual servers. This could be done by manually creating a proxied -device named after the application and then ensuring the SPL query uses the same application name -for it's Device column. +If the logs collected are from a custom application, you may want to treat the application as +a device in Change Tracker instead of its individual servers. This way change events would belong +to the application and not to individual servers. To do this, manually create a proxied +device named after the application, then ensure the SPL query uses the same application name +for its Device column. ## Events -If everything has been configured correctly and communication with the Splunk instance is possible, +If you've configured everything correctly and communication with the Splunk instance is possible, Splunk logs should start arriving as events. ![splunkevents](/images/changetracker/8.2/integration/splunk/splunkevents.webp) -In the body of a Splunk event it's possible to see the required firled from the SPL query. Any field -in the results other than the required fields is added to the additional info section at the bottom -of the event body. This flexible field can list multiple non required fields from the SPL query. -This enables full control of what is logged into the events. +The body of a Splunk event shows the required fields from the SPL query. Change Tracker adds any +field in the results other than the required fields to the additional info section at the bottom +of the event body. This flexible field can list multiple non-required fields from the SPL query. +This gives you full control over what Change Tracker logs into the events. ![splunkeventbody](/images/changetracker/8.2/integration/splunk/splunkeventbody.webp) -Manual runs of the tracking policy can be executed from the Splunk device by clicking Start Tracker +You can run the tracking policy manually from the Splunk device by clicking Start Tracker Poll. ![starttrackerpoll](/images/changetracker/8.2/integration/splunk/starttrackerpoll.webp) diff --git a/docs/changetracker/8.2/integration/overview_2.md b/docs/changetracker/8.2/integration/vmware.md similarity index 51% rename from docs/changetracker/8.2/integration/overview_2.md rename to docs/changetracker/8.2/integration/vmware.md index 1173382edd..37cba26df2 100644 --- a/docs/changetracker/8.2/integration/overview_2.md +++ b/docs/changetracker/8.2/integration/vmware.md @@ -1,31 +1,31 @@ --- -title: "VMWare" -description: "VMWare" +title: "VMware" +description: "VMware" sidebar_position: 50 --- -# VMWare +# VMware -vSphere is VMWare's virtualization platform. Change Tracker includes CIS certified compliance +vSphere is VMware's virtualization platform. Change Tracker includes CIS certified compliance tracking templates to ensure secure configuration of vSphere clusters and their ESXi nodes. ## vSphere/ESXi -Compliance reports for vSphere clusters and their ESXi nodes are executed in an agentless manor with -the use of a proxy agent that has vSphere clusters (or individual ESXi servers) configured as +Change Tracker executes compliance reports for vSphere clusters and their ESXi nodes in an agentless +manner, using a proxy agent that has vSphere clusters (or individual ESXi servers) configured as proxied devices. ## Requirements for the Proxy Agent's Device - .NET 6 - PowerShell 7 -- PowerShell Module VMWare.PowerCLI +- PowerShell Module VMware.PowerCLI - Gen 7 Agent ## Installation -After installing .NET 6 and the Gen 7 Agent, following the instructions below will ensure the proxy -agent's device is able to communicate with vSphere and ESXi devices. +After you install .NET 6 and the Gen 7 Agent, follow these instructions to ensure the proxy +agent's device can communicate with vSphere and ESXi devices. Open a PowerShell console as Administrator to run the following command: @@ -35,7 +35,7 @@ Check installation with: Get-PowerCLIVersion -If self-signed certificates are in use with vCenter, the following command will ignore the errors +If vCenter uses self-signed certificates, the following command ignores the errors this usually raises: Set-PowerCLIConfiguration -InvalidCertificateAction:Ignore -Scope AllUsers @@ -46,28 +46,26 @@ Set-PowerCLIConfiguration -Scope AllUsers -ParticipateInCEIP $false ## Configuration -Follow the steps to configure ESXi/vCenter credentials: - **Step 1 –** From the Settings menu, select Credentials and scroll down to the ESXi / vCenter Credentials section. ![esxicredentials](/images/changetracker/8.2/integration/vmware/esxicredentials.webp) **Step 2 –** Click the Add button and enter the credential information. For vCenter / ESXi -monitoring, it is recommended to use vCenter as the Host Type as it allows for ESXi node discovery, -The ESXi Host Type option enables connections to stand alone ESXi servers. +monitoring, use vCenter as the Host Type because it allows for ESXi node discovery. The ESXi Host +Type option enables connections to standalone ESXi servers. ![esxicredentialform](/images/changetracker/8.2/integration/vmware/esxicredentialform.webp) ## Device Discovery -A vSphere cluster is made up of ESXi nodes. In the past, each ESXi node had to be manually added as -a proxied device. It is now possible to add the vSphere service as a proxied device and -automatically discover all of it's ESXi nodes and add them as proxied devices. This allows for -faster configuration and the ability to keep up with fast changing environments where ESXi nodes are -frequently created, removed or even migrated between clusters. +A vSphere cluster consists of ESXi nodes. In the past, you had to add each ESXi node manually as +a proxied device. You can now add the vSphere service as a proxied device and automatically +discover all its ESXi nodes and add them as proxied devices. This speeds up configuration and helps +you keep up with fast-changing environments where ESXi nodes are frequently created, removed, or +migrated between clusters. -From the Settings menu, select Device Discovery. Select ESXi / vCenter Discovery from the drop down +From the Settings menu, select Device Discovery. Select ESXi / vCenter Discovery from the dropdown to configure the discovery job. ![devicediscoverygrid](/images/changetracker/8.2/integration/vmware/devicediscoverygrid.webp) @@ -75,17 +73,17 @@ to configure the discovery job. Discovery Device is the device running the agent that will execute the commands to discover the ESXi nodes. -Parent Device in Hub is the proxy device that the proxied devices (that represents the ESXi nodes) -will be registered under. Usually Discovery Device and Parent Device in Hub use the same agent, but -different discovery jobs executed by different proxy agents could be configured to register all of +Parent Device in Hub is the proxy device under which Change Tracker registers the proxied devices +that represent the ESXi nodes. Usually Discovery Device and Parent Device in Hub use the same agent, +but you can configure different discovery jobs, executed by different proxy agents, to register all their discovered nodes under one proxy agent. -The "Assign to Group" drop down is the group the discovered ESXi nodes will be assigned to. There is -no automatic registration so a group must be chosen. +The "Assign to Group" dropdown is the group you assign the discovered ESXi nodes to. There is +no automatic registration, so you must choose a group. ![devicediscoveryform](/images/changetracker/8.2/integration/vmware/devicediscoveryform.webp) -Once configured a discovery job will automatically run and if successful, the devices will be +Once configured, a discovery job will automatically run, and if it succeeds, the devices will be visible in the grid. ![devicediscoverystarted](/images/changetracker/8.2/integration/vmware/devicediscoverystarted.webp) @@ -96,7 +94,7 @@ visible in the grid. ## Compliance Reporting -Under the Reports tab, it is now possible to configure and run the appropriate compliance report +Under the Reports tab, you can now configure and run the appropriate compliance report against the group that contains the ESXi devices. ![esxicompliancereport](/images/changetracker/8.2/integration/vmware/esxicompliancereport.webp)