Seamlessly integrate WALLIX Bastion PAM logs with Splunk for enhanced security monitoring and automated response
Features • Installation • Configuration • Dashboards • Support
The WALLIX Bastion Technology Add-on (TA-WALLIX_Bastion) is the official Splunk integration for WALLIX Bastion, enabling organizations to centralize, analyze, and respond to privileged access activities in real-time.
WALLIX Bastion is an enterprise-grade Privileged Access Management (PAM) solution that secures and monitors access to critical infrastructure. This add-on bridges WALLIX Bastion with Splunk to provide:
- 🔍 Deep visibility into privileged sessions and access patterns
- 📊 Real-time dashboards for security operations teams
- 🚨 Automated alerting on suspicious activities
- ⚡ Remote session termination via API integration
- 📈 Compliance reporting for audit requirements
| Property | Details |
|---|---|
| Version | 1.0.6 |
| Author | WALLIX |
| Compatibility | Splunk Enterprise 7.0+, Splunk Cloud |
| Platforms | Linux, Windows, macOS |
| Type | Technology Add-on (TA) |
Automatically extracts 30+ fields from WALLIX Bastion logs with zero configuration:
- Identity & Access: Users, accounts, devices, source/target IPs
- Session Metadata: Session IDs, duration, status, termination reasons
- Security Context: Authentication methods, key fingerprints, MFA status
- Activity Tracking: Commands executed, files transferred, system events
- Audit Trail: Complete forensic data for compliance and investigations
Real-time monitoring of bastion access with:
- Authentication success/failure rates
- Active vs. terminated sessions
- Geographic distribution of access attempts
- Temporal analysis with trend visualization
User-centric views featuring:
- Per-user session statistics and patterns
- Access duration analytics
- Target system inventory per user
- Behavioral anomaly detection
Forensic-grade activity logging:
- Command execution history with full context
- File transfer monitoring (upload/download)
- System-level event correlation
- Searchable audit trail for investigations
Terminate suspicious sessions automatically based on defined criteria:
- API-driven: Direct integration with WALLIX Bastion REST API
- Context-aware: Preserve session metadata for post-incident analysis
- Configurable: Define custom termination triggers and policies
- Auditable: All automated actions logged for compliance
Web-based configuration interface for:
- WALLIX Bastion URL and credentials
- API key management (encrypted storage)
- Connection pooling and timeout settings
- Custom field mapping and extraction rules
- Splunk Enterprise 7.0+ or Splunk Cloud
- WALLIX Bastion instance with syslog configured
- Administrator permissions on Splunk
- Network connectivity between Splunk and WALLIX Bastion
- Navigate to Apps > Manage Apps in Splunk Web
- Click Install app from file
- Upload
TA-WALLIX_Bastion-1.0.6.spl - Restart Splunk when prompted
cd $SPLUNK_HOME/etc/apps/
tar -xzf TA-WALLIX_Bastion-1.0.6.spl
$SPLUNK_HOME/bin/splunk restart# Place in deployment apps directory
cp TA-WALLIX_Bastion-1.0.6.spl $SPLUNK_HOME/etc/deployment-apps/
# Configure serverclass.conf
[serverClass:wallix_bastion]
whitelist.0 = *
[serverClass:wallix_bastion:app:TA-WALLIX_Bastion]
restartSplunkd = true
# Reload deployment server
$SPLUNK_HOME/bin/splunk reload deploy-server# inputs.conf
[udp://514]
sourcetype = WB:syslog
index = wallix_bastion
no_appending_timestamp = true
# inputs.conf
[tcp://514]
sourcetype = WB:syslog
index = wallix_bastion
connection_host = ip
- Access WALLIX Bastion admin interface
- Navigate to Configuration > Logs > Syslog
- Add Splunk server:
- Host:
<splunk_ip> - Port:
514 - Protocol: UDP or TCP
- Format: RFC 5424 or legacy
- Host:
- Select events to forward (recommended: all audit events)
-
Go to Apps > WALLIX Bastion > Configuration
-
Enter connection details:
WALLIX Bastion URL: https://bastion.company.com API Key: [Your API key]
# ta_wallix_bastion_settings.conf
[additional_parameters]
wallix_bastion_url = https://bastion.company.com
api_key = <encrypted_key>
timeout = 30
verify_ssl = true
# indexes.conf
[wallix_bastion]
homePath = $SPLUNK_DB/wallix_bastion/db
coldPath = $SPLUNK_DB/wallix_bastion/colddb
thawedPath = $SPLUNK_DB/wallix_bastion/thaweddb
maxDataSize = auto_high_volume
frozenTimePeriodInSecs = 31536000
# 1 year retention
# Monitor all WALLIX Bastion activity
sourcetype="WB:syslog"
# Failed authentication attempts
sourcetype="WB:syslog" WB_Event="wabauth" WB_Status="failure"
| stats count by WB_User, WB_Client_Ip
| where count > 5
# Long-running sessions (over 4 hours)
sourcetype="WB:syslog" WB_Event="session_established"
| eval duration_sec=tonumber(WB_Duration)
| where duration_sec > 14400
| table _time WB_User WB_Target WB_Duration
# Privileged command execution
sourcetype="WB:syslog" WB_Event="command"
| search WB_Command IN ("sudo*", "su -*", "passwd*", "rm -rf*")
| table _time WB_User WB_Target WB_Command
| Field | Description | Example Value |
|---|---|---|
WB_Event |
Event type identifier | wabauth, session_established, command |
WB_User |
Authenticated username | john.doe@company.com |
WB_Target |
Target system FQDN/IP | prod-db-01.internal |
WB_Session_Id |
Unique session identifier | sess_1a2b3c4d5e |
WB_Status |
Operation status | success, failure |
WB_Client_Ip |
Source IP address | 192.168.1.100 |
WB_Duration |
Session duration (seconds) | 3600 |
WB_Command |
Executed command | /usr/bin/apt-get update |
WB_Auth_Type |
Authentication method | password, pubkey, mfa |
WB_Disconnect_Reason |
Session end reason | user_initiated, timeout, killed |
sourcetype="WB:syslog" WB_Event="command"
(WB_Command="*rm -rf /*" OR WB_Command="*dd if=/dev/zero*" OR WB_Command="*mkfs*")
| eval severity="CRITICAL"
| table _time WB_User WB_Target WB_Command WB_Session_Id severity
Alert Action: Configure Kill Session with:
- Session ID:
$result.WB_Session_Id$ - Reason:
Dangerous command detected: $result.WB_Command$
sourcetype="WB:syslog" WB_Event="session_established"
| stats count by WB_User, WB_Target
| where count > 20
| eval alert_reason="Unusual access pattern detected"
TA-WALLIX_Bastion/
├── app.manifest # Splunk app metadata
├── default/
│ ├── app.conf # App configuration
│ ├── props.conf # Field extraction & transforms
│ ├── transforms.conf # Lookup definitions
│ ├── alert_actions.conf # Custom alert actions
│ ├── restmap.conf # REST endpoint configuration
│ └── data/ui/
│ ├── nav/ # Navigation definitions
│ └── views/ # Dashboard XML
├── bin/
│ ├── ta_wallix_bastion/
│ │ ├── modalert_kill_session_helper.py
│ │ ├── alert_actions_base.py
│ │ └── [libraries]/ # solnlib, requests, etc.
│ └── TA_WALLIX_Bastion_rh_settings.py
├── appserver/
│ ├── static/ # CSS, JavaScript, images
│ └── templates/ # HTML templates (Jinja2)
├── metadata/ # Permissions & navigation
└── static/ # App icons
Check:
- WALLIX syslog configuration:
grep syslog /var/log/wallix/* - Network connectivity:
telnet <splunk_ip> 514 - Splunk input status:
$SPLUNK_HOME/bin/splunk list inputstatus - Firewall rules on both sides
Verify:
index=_internal source=*splunkd.log* "listening on port 514"
Validate regex:
$SPLUNK_HOME/bin/splunk cmd btool props list --app=TA-WALLIX_Bastion --debugTest extraction:
sourcetype="WB:syslog" | head 1 | extract reload=T
Debug logs:
index=_internal source="*modalert_kill_session*" ERROR
Common causes:
- Invalid API key (check encryption)
- Network timeout (increase timeout value)
- Insufficient API permissions
- Session already terminated
API connectivity test:
curl -k -H "X-Auth-Key: YOUR_KEY" https://bastion.company.com/api/sessionsEdit default/props.conf:
[WB:syslog]
EXTRACT-custom_field = \scustom=\"(?P<WB_Custom_Field>[^\"]+)\"
- Create script in
bin/ta_wallix_bastion/modalert_custom_action_helper.py - Define action in
default/alert_actions.conf - Add UI template in
appserver/templates/custom_action.html
# Validate configuration
$SPLUNK_HOME/bin/splunk btool check --app=TA-WALLIX_Bastion
# Test field extractions
$SPLUNK_HOME/bin/splunk search 'sourcetype="WB:syslog" | head 1'
# Inspect Python dependencies
$SPLUNK_HOME/bin/splunk cmd python -m pip list- ✅ Full Python 3 compatibility
- ✅ Enhanced configuration UI with input validation
- ✅ Improved Kill Session action with retry logic
- ✅ Optimized field extraction performance
- ✅ Updated dependencies (solnlib, requests)
See CHANGELOG.md for complete history.
- Email: support@wallix.com
- GitHub Issues: Report a bug
- Enterprise Support: Contact your WALLIX account manager
This add-on is proprietary software developed by WALLIX. See LICENSE for terms and conditions.
We welcome feedback and contributions! Please review our Contributing Guidelines before submitting issues or pull requests.
Made with ❤️ by WALLIX