How to Build a Simple App for Splunk

SPP, Lsungen im Team Seite 1/24

How to Build a simple App for Splunk

Version: 1.2 Date: 25.03.2010


Project How to Build a simple App for Splunk

Project Leader Alexander Sznyi

Responsible Alexander Sznyi

Created 25.03.2010

Last Change

Revision

Reference

Change log

No. Date Version Author Comment

1 25.03.2010 1.0 Sznyi Create Document


Table of Contents 1 Create a new APP (Sample Snort App) ...................................................................................................................................... 4 2 Create a Index for your App (Sample Snort App) .................................................................................................................. 5 3 Install Snort on your System ......................................................................................................................................................... 7 4 Create a Data Input for your App (Sample Snort App) ........................................................................................................ 7 5 Test your new APP with a search (Sample Snort App) ........................................................................................................ 8 6 Create 3 new important Fields for your App (Sample Snort App) ................................................................................... 9 7 Create 3 new searches for your new App ............................................................................................................................. 14 8 Generate a Dashboard for your new APP ............................................................................................................................. 20

- Launch to your new App and press the button Actions and select Create new dashboard... ....... 20


1 Create a new APP (Sample Snort App)

- Login to Splunk

- Go to the Manager -> Apps

- Click the button Create app

- Fill in (see Picture)

- If you are finished press the Save Button


2 Create a Index for your App (Sample Snort App)

- Launch to your new APP -

- go from your App direct to the Manager-> Indexes (this is important!!! , that your new index will match with your App)


- Click the button New

- Fill in (see Picture)

- If you are finished press the Save Button - Reboot Splunk (Manager->Server controls>Restart Splunk)


3 Install Snort on your System - In my example apt-get install snort (Ubuntu installation)

4 Create a Data Input for your App (Sample Snort App) - Launch to your new APP - go from your App direct to the Manager-> Data inputs (this is important!!! , that your new index will

match with your App) - in my example choose Files & Directories - Click the button New

- Fill in (see Picture) and then go to your new APP


5 Test your new APP with a search (Sample Snort App) - Tip in in the search windows

index=snort * then press Enter


6 Create 3 new important Fields for your App (Sample Snort App) - Go to your new App - Tip in in the search windows- index=snort * then press Enter

- Press the Button right from your messages (see Picture)

- Chose Extract Fields (a new windows appears)


- Now you are in the Interactive Field Extractor Window

- First we want to extract following field (marked in yellow)

- [**] [1:100000160:2] COMMUNITY SIP TCP/IP message flooding directed to SIP proxy [**] [Classification: Attempted Denial of Service] [Priority: 2] 03/25-10:11:13.949172 10.1.1.67:56206 -> 10.1.1.172:8000 TCP TTL:128 TOS:0x0 ID:4168 IpLen:20 DgmLen:40 DF ***A**** Seq: 0x79E273B3 Ack: 0x29A5CE25 Win: 0x4029 TcpLen: 20


- First you copy and paste all messages (see yellow marked) into the Example values Box and click

Generate (see Picture)

- Know you have generate a regex for your Field (?im)^(?:[^ ]* ){2}(?P.*?)\s+\[ , but you can see in the picture that this regex also match to other text in your log.


- So the correct regex is for your Field is (?im)^[^ ]* \[\d+:\d+:\d+]\s+(?P.*?)\s+\[, you can know see in the picture that only your messages are marked.


- Save your new Field, press the Save Button and save the Filed as snort_message (see picture).

- Repeat this steps with the following new Fields,

o snort_classification

[**] [1:100000160:2] COMMUNITY SIP TCP/IP message flooding directed to SIP proxy [**] [Classification: Attempted Denial of Service] [Priority: 2] 03/25-10:11:13.949172 10.1.1.67:56206 -> 10.1.1.172:8000 TCP TTL:128 TOS:0x0 ID:4168 IpLen:20 DgmLen:40 DF ***A**** Seq: 0x79E273B3 Ack: 0x29A5CE25 Win: 0x4029 TcpLen: 20

Regex = (?i)\[Classification: (?P[^\]]*)(?=\])

o snort_priority

[**] [1:100000160:2] COMMUNITY SIP TCP/IP message flooding directed to SIP proxy [**] [Classification: Attempted Denial of Service] [Priority: 2] 03/25-10:11:13.949172 10.1.1.67:56206 -> 10.1.1.172:8000 TCP TTL:128 TOS:0x0 ID:4168 IpLen:20 DgmLen:40 DF ***A**** Seq: 0x79E273B3 Ack: 0x29A5CE25 Win: 0x4029 TcpLen: 20

Regex = (?i)\[Priority:\s+(?P[^\]]*)(?=\])


7 Create 3 new searches for your new App - First search is index="snort" snort_message="*" snort_classification="*" snort_priority="*"

src_ip="*" src_port="*" dest_ip="*" dest_port="*" (see Picture)


- Save the search, go to the Actions button and press save search... (see Picture)


- A new windows appears, name the search Snort Alerts Last 4 Hours (see Picture) and Save it.


- Secound search is a report, the search is index="snort" snort_priority="*" snort_message="*" snort_classification="*" . Go to the left sight from the windows and press by the fields the right from snort_messages the button. (see picture)


- Know choose Report on : top values overall - Call your Chart Title: Snort Top messages overall

- Press the button Save and chose Save Report...

- Name the Save Report Snort Top messages overall and save it.


- Third search is also a report, the search is index="snort" snort_priority="*" snort_message="*" snort_classification="*" . Go to the left sight from the windows and press by the fields the right from snort_priority the button and chose top values by time save your report as Snort Prioritys in the last 24 Hours (see the picture how its looks like)


8 Generate a Dashboard for your new APP

- Launch to your new App and press the button Actions and select Create new dashboard...

- Name the dashboard SNORT (see picture) and press Create


- Know press Edit the dashboard


- Build your first panel and name it Snort Prioritys in the last 24 Hours (see Picture) and press Add panel

- Add the next panel Snort Top messages overall (see Picture).


- Add the next last panel Snort Alerts Last 4 Hours (see Picture) and close.


- Know you see your new dashboard (see picture)

LAST POINT, to not forget to give other people access to your new App and index, searches, reports and dashboards.

Date post:	10-Jan-2016
Category:	Documents
Upload:	arunkumar-kumaresan
View:	231 times
Download:	0 times

How to Build a Simple App for Splunk

Documents