How To Build A Simple App For Splunk

How to Build a simple App for Splunk
Version: 1.2
Date: 25.03.2010
SPP, Lsungen im Team
Seite 1/24
Project
Project Leader
Responsible
Created
Last Change
Revision
Reference
How to Build a simple App for Splunk

Alexander Sznyi
Alexander Sznyi
25.03.2010
Change log
No.
1
Date
25.03.2010
Version
1.0
Author
Sznyi
Comment
Create Document
Seite 2/24
Table of Contents
1
2
3
4
5
6
7
8
Create a new APP (Sample Snort App) ......................................................................................................................................4

Create a Index for your App (Sample Snort App) ..................................................................................................................5
Install Snort on your System .........................................................................................................................................................7
Create a Data Input for your App (Sample Snort App) ........................................................................................................7
Test your new APP with a search (Sample Snort App) ........................................................................................................8
Create 3 new important Fields for your App (Sample Snort App) ...................................................................................9
Create 3 new searches for your new App ............................................................................................................................. 14
Generate a Dashboard for your new APP ............................................................................................................................. 20
Launch to your new App and press the button Actions and select Create new dashboard... ....... 20
Seite 3/24
1 Create a new APP (Sample Snort App)

-
Login to Splunk
Go to the Manager -> Apps
Click the button Create app
Fill in (see Picture)
If you are finished press the Save Button
Seite 4/24
2 Create a Index for your App (Sample Snort App)

-
Launch to your new APP
go from your App direct to the Manager-> Indexes (this is important!!! , that your new index will
match with your App)
Seite 5/24
Click the button New
Fill in (see Picture)
If you are finished press the Save Button

Reboot Splunk (Manager->Server controls>Restart Splunk)
Seite 6/24
3 Install Snort on your System

-
In my example apt-get install snort (Ubuntu installation)
4 Create a Data Input for your App (Sample Snort App)

-
Launch to your new APP

go from your App direct to the Manager-> Data inputs (this is important!!! , that your new index will
match with your App)
in my example choose Files & Directories
Click the button New
Fill in (see Picture) and then go to your new APP
Seite 7/24
5 Test your new APP with a search (Sample Snort App)

-
Tip in in the search windows

index=snort * then press Enter
Seite 8/24
6 Create 3 new important Fields for your App (Sample Snort App)
-
Go to your new App

Tip in in the search windows- index=snort * then press Enter
Press the Button right from your messages (see Picture)
Chose Extract Fields (a new windows appears)
Seite 9/24
Now you are in the Interactive Field Extractor Window
First we want to extract following field (marked in yellow)
[**] [1:100000160:2] COMMUNITY SIP TCP/IP message flooding directed to SIP proxy [**]
[Classification: Attempted Denial of Service] [Priority: 2]
03/25-10:11:13.949172 10.1.1.67:56206 -> 10.1.1.172:8000
TCP TTL:128 TOS:0x0 ID:4168 IpLen:20 DgmLen:40 DF
***A**** Seq: 0x79E273B3 Ack: 0x29A5CE25 Win: 0x4029 TcpLen: 20
Seite 10/24
First you copy and paste all messages (see yellow marked) into the Example values Box and click
Generate (see Picture)
Know you have generate a regex for your Field (?im)^(?:[^ ]* ){2}(?P<FIELDNAME>.*?)\s+\[ , but you
can see in the picture that this regex also match to other text in your log.
Seite 11/24
So the correct regex is for your Field is (?im)^[^ ]* \[\d+:\d+:\d+]\s+(?P<FIELDNAME>.*?)\s+\[, you

can know see in the picture that only your messages are marked.
Seite 12/24
Save your new Field, press the Save Button and save the Filed as snort_message (see picture).
Repeat this steps with the following new Fields,

o
snort_classification
03/25-10:11:13.949172 10.1.1.67:56206 -> 10.1.1.172:8000
Regex = (?i)\[Classification: (?P<FIELDNAME>[^\]]*)(?=\])
snort_priority
03/25-10:11:13.949172 10.1.1.67:56206 -> 10.1.1.172:8000
Regex = (?i)\[Priority:\s+(?P<FIELDNAME>[^\]]*)(?=\])
Seite 13/24
7 Create 3 new searches for your new App

-
First search is index="snort" snort_message="*" snort_classification="*" snort_priority="*"

src_ip="*" src_port="*" dest_ip="*" dest_port="*" (see Picture)
Seite 14/24
Save the search, go to the Actions button and press save search... (see Picture)
Seite 15/24
- A new windows appears, name the search Snort Alerts Last 4 Hours (see Picture) and Save it.
Seite 16/24
Secound search is a report, the search is index="snort" snort_priority="*" snort_message="*"

snort_classification="*" . Go to the left sight from the windows and press by the fields the right from
snort_messages the button. (see picture)
Seite 17/24
Know choose Report on : top values overall

Call your Chart Title: Snort Top messages overall
Press the button Save and chose Save Report...
Name the Save Report Snort Top messages overall and save it.
Seite 18/24
Third search is also a report, the search is index="snort" snort_priority="*" snort_message="*"

snort_classification="*" . Go to the left sight from the windows and press by the fields the right from
snort_priority the button and chose top values by time save your report as Snort Prioritys in the
last 24 Hours (see the picture how its looks like)
Seite 19/24
8 Generate a Dashboard for your new APP

-
Launch to your new App and press the button Actions and select Create new dashboard...
Name the dashboard SNORT (see picture) and press Create
Seite 20/24
Know press Edit the dashboard
Seite 21/24
Build your first panel and name it Snort Prioritys in the last 24 Hours (see Picture) and press
Add panel
Add the next panel Snort Top messages overall (see Picture).
Seite 22/24
Add the next last panel Snort Alerts Last 4 Hours (see Picture) and close.
Seite 23/24
Know you see your new dashboard (see picture)
LAST POINT, to not forget to give other people access to your new App and index, searches, reports and
dashboards.
Seite 24/24

How To Build A Simple App For Splunk

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

How To Build A Simple App For Splunk

Transféré par

Droits d'auteur :

Formats disponibles

How to Build a simple App for Splunk

SPP, Lsungen im Team