How to Build a Simple App for Splunk

SPP, Lsungen im Team Seite 1/24

How to Build a simple App for Splunk

Version: 1.2 Date: 25.03.2010


Project How to Build a simple App for Splunk

Project Leader Alexander Sznyi

Responsible Alexander Sznyi

Created 25.03.2010

Last Change

Revision

Reference

Change log

No. Date Version Author Comment

1 25.03.2010 1.0 Sznyi Create Document


Table of Contents 1 Create a new APP (Sample Snort App) ...................................................................................................................................... 4 2 Create a Index for your App (Sample Snort App) .................................................................................................................. 5 3 Install Snort on your System ......................................................................................................................................................... 7 4 Create a Data Input for your App (Sample Snort App) ........................................................................................................ 7 5 Test your new APP with a search (Sample Snort App) ........................................................................................................ 8 6 Create 3 new important Fields for your App (Sample Snort App) ................................................................................... 9 7 Create 3 new searches for your new App ............................................................................................................................. 14 8 Generate a Dashboard for your new APP ............................................................................................................................. 20

- Launch to your new App and press the button Actions and select Create new dashboard... ....... 20


1 Create a new APP (Sample Snort App)

- Login to Splunk

- Go to the Manager -> Apps

- Click the button Create app

- Fill in (see Picture)

- If you are finished press the Save Button


2 Create a Index for your App (Sample Snort App)

- Launch to your new APP -

- go from your App direct to the Manager-> Indexes (this is important!!! , that your new index will match with your App)


- Click the button New

- Fill in (see Picture)

- If you are finished press the Save Button - Reboot Splunk (Manager->Server controls>Restart Splunk)


3 Install Snort on your System - In my example apt-get install snort (Ubuntu installation)

4 Create a Data Input for your App (Sample Snort App) - Launch to your new APP - go from your App direct to the Manager-> Data inputs (this is important!!! , that your new index will

match with your App) - in my example choose Files & Directories - Click the button New

- Fill in (see Picture) and then go to your new APP


5 Test your new APP with a search (Sample Snort App) - Tip in in the search windows

index=snort * then press Enter


6 Create 3 new important Fields for your App (Sample Snort App) - Go to your new App - Tip in in the search windows- index=snort * then press Enter

- Press the Button right from your messages (see Picture)

- Chose Extract Fields (a new windows appears)


- Now you are in the Interactive Field Extractor Window

- First we want to extract following field (marked in yellow)

- [**] [1:100000160:2] COMMUNITY SIP TCP/IP message flooding directed to SIP proxy [**] [Classification: Attempted Denial of Service] [Priority: 2] 03/25-10:11:13.949172 10.1.1.67:56206 -> 10.1.1.172:8000 TCP TTL:128 TOS:0x0 ID:4168 IpLen:20 DgmLen:40 DF ***A**** Seq: 0x79E273B3 Ack: 0x29A5CE25 Win: 0x4029 TcpLen: 20


- First you copy and paste all messages (see yellow marked) into the Example values Box and click

Generate (see Picture)

- Know you have generate a regex for your Field (?im)^(?:[^ ]* ){2}(?P.*?)\s+\[ , but you can see in the picture that this regex also match to other text in your log.


- So the correct regex is for your Field is (?im)^[^ ]* \[\d+:\d+:\d+]\s+(?P.*?)\s+\[, you can know see in the picture that only your messages are marked.


- Save your new Field, press the Save Button and save the Filed as snort_message (see picture).

- Repeat this steps with the following new Fields,

o snort_classification

[**] [1:100000160:2] COMMUNITY SIP TCP/IP message flooding directed to SIP proxy [**] [Classification: Attempted Denial of Service] [Priority: 2] 03/25-10:11:13.949172 10.1.1.67:56206 -> 10.1.1.172:8000 TCP TTL:128 TOS:0x0 ID:4168 IpLen:20 DgmLen:40 DF ***A**** Seq: 0x79E273B3 Ack: 0x29A5CE25 Win: 0x4029 TcpLen: 20

Regex = (?i)\[Classification: (?P[^\]]*)(?=\])

o snort_priority

[**] [1:100000160:2] COMMUNITY SIP TCP/IP message flooding directed to SIP proxy [**] [Classification: Attempted Denial of Service] [Priority: 2] 03/25-10:11:13.949172 10.1.1.67:56206 -> 10.1.1.172:8000 TCP TTL:128 TOS:0x0 ID:4168 IpLen:20 DgmLen:40 DF ***A**** Seq: 0x79E273B3 Ack: 0x29A5CE25 Win: 0x4029 TcpLen: 20

Regex = (?i)\[Priority:\s+(?P[^\]]*)(?=\])


7 Create 3 new searches for your new App - First search is index="snort" snort_message="*" snort_classification="*" snort_priority="*"

src_ip="*" src_port="*" dest_ip="*" dest_port="*" (see Picture)


- Save the search, go to the Actions button and press save search... (see Picture)


- A new windows appears, name the search Snort Alerts Last 4 Hours (see Picture) and Save it.


- Secound search is a report, the search is index="snort" snort_priority="*" snort_message="*" snort_classification="*" . Go to the left sight from the windows and press by the fields the right from snort_messages the button. (see picture)


- Know choose Report on : top values overall - Call your Chart Title: Snort Top messages overall

- Press the button Save and chose Save Report...

- Name the Save Report Snort Top messages overall and save it.


- Third search is also a report, the search is index="snort" snort_priority="*" snort_message="*" snort_classification="*" . Go to the left sight from the windows and press by the fields the right from snort_priority the button and chose top values by time save your report as Snort Prioritys in the last 24 Hours (see the picture how its looks like)


8 Generate a Dashboard for your new APP

- Launch to your new App and press the button Actions and select Create new dashboard...

- Name the dashboard SNORT (see picture) and press Create


- Know press Edit the dashboard


- Build your first panel and name it Snort Prioritys in the last 24 Hours (see Picture) and press Add panel

- Add the next panel Snort Top messages overall (see Picture).


- Add the next last panel Snort Alerts Last 4 Hours (see Picture) and close.


- Know you see your new dashboard (see picture)

LAST POINT, to not forget to give other people access to your new App and index, searches, reports and dashboards.

How to Build a Simple App for Splunk

Documents