how to build a simple app for splunk
DESCRIPTION
how to build an application using splunkTRANSCRIPT
-
SPP, Lsungen im Team Seite 1/24
How to Build a simple App for Splunk
Version: 1.2 Date: 25.03.2010
-
SPP, Lsungen im Team Seite 2/24
Project How to Build a simple App for Splunk
Project Leader Alexander Sznyi
Responsible Alexander Sznyi
Created 25.03.2010
Last Change
Revision
Reference
Change log
No. Date Version Author Comment
1 25.03.2010 1.0 Sznyi Create Document
-
SPP, Lsungen im Team Seite 3/24
Table of Contents 1 Create a new APP (Sample Snort App) ...................................................................................................................................... 4 2 Create a Index for your App (Sample Snort App) .................................................................................................................. 5 3 Install Snort on your System ......................................................................................................................................................... 7 4 Create a Data Input for your App (Sample Snort App) ........................................................................................................ 7 5 Test your new APP with a search (Sample Snort App) ........................................................................................................ 8 6 Create 3 new important Fields for your App (Sample Snort App) ................................................................................... 9 7 Create 3 new searches for your new App ............................................................................................................................. 14 8 Generate a Dashboard for your new APP ............................................................................................................................. 20
- Launch to your new App and press the button Actions and select Create new dashboard... ....... 20
-
SPP, Lsungen im Team Seite 4/24
1 Create a new APP (Sample Snort App)
- Login to Splunk
- Go to the Manager -> Apps
- Click the button Create app
- Fill in (see Picture)
- If you are finished press the Save Button
-
SPP, Lsungen im Team Seite 5/24
2 Create a Index for your App (Sample Snort App)
- Launch to your new APP -
- go from your App direct to the Manager-> Indexes (this is important!!! , that your new index will match with your App)
-
SPP, Lsungen im Team Seite 6/24
- Click the button New
- Fill in (see Picture)
- If you are finished press the Save Button - Reboot Splunk (Manager->Server controls>Restart Splunk)
-
SPP, Lsungen im Team Seite 7/24
3 Install Snort on your System - In my example apt-get install snort (Ubuntu installation)
4 Create a Data Input for your App (Sample Snort App) - Launch to your new APP - go from your App direct to the Manager-> Data inputs (this is important!!! , that your new index will
match with your App) - in my example choose Files & Directories - Click the button New
- Fill in (see Picture) and then go to your new APP
-
SPP, Lsungen im Team Seite 8/24
5 Test your new APP with a search (Sample Snort App) - Tip in in the search windows
index=snort * then press Enter
-
SPP, Lsungen im Team Seite 9/24
6 Create 3 new important Fields for your App (Sample Snort App) - Go to your new App - Tip in in the search windows- index=snort * then press Enter
- Press the Button right from your messages (see Picture)
- Chose Extract Fields (a new windows appears)
-
SPP, Lsungen im Team Seite 10/24
- Now you are in the Interactive Field Extractor Window
- First we want to extract following field (marked in yellow)
- [**] [1:100000160:2] COMMUNITY SIP TCP/IP message flooding directed to SIP proxy [**] [Classification: Attempted Denial of Service] [Priority: 2] 03/25-10:11:13.949172 10.1.1.67:56206 -> 10.1.1.172:8000 TCP TTL:128 TOS:0x0 ID:4168 IpLen:20 DgmLen:40 DF ***A**** Seq: 0x79E273B3 Ack: 0x29A5CE25 Win: 0x4029 TcpLen: 20
-
SPP, Lsungen im Team Seite 11/24
- First you copy and paste all messages (see yellow marked) into the Example values Box and click
Generate (see Picture)
- Know you have generate a regex for your Field (?im)^(?:[^ ]* ){2}(?P.*?)\s+\[ , but you can see in the picture that this regex also match to other text in your log.
-
SPP, Lsungen im Team Seite 12/24
- So the correct regex is for your Field is (?im)^[^ ]* \[\d+:\d+:\d+]\s+(?P.*?)\s+\[, you can know see in the picture that only your messages are marked.
-
SPP, Lsungen im Team Seite 13/24
- Save your new Field, press the Save Button and save the Filed as snort_message (see picture).
- Repeat this steps with the following new Fields,
o snort_classification
[**] [1:100000160:2] COMMUNITY SIP TCP/IP message flooding directed to SIP proxy [**] [Classification: Attempted Denial of Service] [Priority: 2] 03/25-10:11:13.949172 10.1.1.67:56206 -> 10.1.1.172:8000 TCP TTL:128 TOS:0x0 ID:4168 IpLen:20 DgmLen:40 DF ***A**** Seq: 0x79E273B3 Ack: 0x29A5CE25 Win: 0x4029 TcpLen: 20
Regex = (?i)\[Classification: (?P[^\]]*)(?=\])
o snort_priority
[**] [1:100000160:2] COMMUNITY SIP TCP/IP message flooding directed to SIP proxy [**] [Classification: Attempted Denial of Service] [Priority: 2] 03/25-10:11:13.949172 10.1.1.67:56206 -> 10.1.1.172:8000 TCP TTL:128 TOS:0x0 ID:4168 IpLen:20 DgmLen:40 DF ***A**** Seq: 0x79E273B3 Ack: 0x29A5CE25 Win: 0x4029 TcpLen: 20
Regex = (?i)\[Priority:\s+(?P[^\]]*)(?=\])
-
SPP, Lsungen im Team Seite 14/24
7 Create 3 new searches for your new App - First search is index="snort" snort_message="*" snort_classification="*" snort_priority="*"
src_ip="*" src_port="*" dest_ip="*" dest_port="*" (see Picture)
-
SPP, Lsungen im Team Seite 15/24
- Save the search, go to the Actions button and press save search... (see Picture)
-
SPP, Lsungen im Team Seite 16/24
- A new windows appears, name the search Snort Alerts Last 4 Hours (see Picture) and Save it.
-
SPP, Lsungen im Team Seite 17/24
- Secound search is a report, the search is index="snort" snort_priority="*" snort_message="*" snort_classification="*" . Go to the left sight from the windows and press by the fields the right from snort_messages the button. (see picture)
-
SPP, Lsungen im Team Seite 18/24
- Know choose Report on : top values overall - Call your Chart Title: Snort Top messages overall
- Press the button Save and chose Save Report...
- Name the Save Report Snort Top messages overall and save it.
-
SPP, Lsungen im Team Seite 19/24
- Third search is also a report, the search is index="snort" snort_priority="*" snort_message="*" snort_classification="*" . Go to the left sight from the windows and press by the fields the right from snort_priority the button and chose top values by time save your report as Snort Prioritys in the last 24 Hours (see the picture how its looks like)
-
SPP, Lsungen im Team Seite 20/24
8 Generate a Dashboard for your new APP
- Launch to your new App and press the button Actions and select Create new dashboard...
- Name the dashboard SNORT (see picture) and press Create
-
SPP, Lsungen im Team Seite 21/24
- Know press Edit the dashboard
-
SPP, Lsungen im Team Seite 22/24
- Build your first panel and name it Snort Prioritys in the last 24 Hours (see Picture) and press Add panel
- Add the next panel Snort Top messages overall (see Picture).
-
SPP, Lsungen im Team Seite 23/24
- Add the next last panel Snort Alerts Last 4 Hours (see Picture) and close.
-
SPP, Lsungen im Team Seite 24/24
- Know you see your new dashboard (see picture)
LAST POINT, to not forget to give other people access to your new App and index, searches, reports and dashboards.