juju4
commented
1 year ago -
terraform/network rules 172.16.22.130 to 172.16.22.10:9200 = just extend existing rule tcp/9200 to 9200-9210 (created 9201 just before KC to "load balance")
-
add cribl elastic source "in_elastic9210" on port 9210
-
add cribl route_passthru to router:MultiSIEMOutputs with pre-existing passthru pipeline
-
add splunk index (Settings: Indexes), splunk hec + token (Settings: Data inputs: HTTP Event Collector) (manually started splunk for some reason)
-
add cribl destination splunk hec with above token
-
velociraptor to cribl/elastic source to splunk
- Elastic.Flows.Upload to 172.16.22.10:9210 (cribl) - Done
- or Elastic.Events.Clients during artefact collection
- as backup/comparison also configured Server.Utils.BackupDirectory
sudo install -d -m 0755 /var/cache/velociraptor_forensics_backup
-
Test hunt to validate if traffic
References https://docs.velociraptor.app/artifact_references/pages/elastic.flows.upload/ https://docs.velociraptor.app/blog/2019/2019-12-08-velociraptor-to-elasticsearch-3a9fc02c6568/ https://docs.velociraptor.app/vql_reference/server/elastic_upload/ https://github.com/Velocidex/velociraptor/blob/master/vql/server/elastic.go
Note that there is a direct https://docs.velociraptor.app/artifact_references/pages/splunk.flows.upload/
Per May 11th meeting, get velociraptor output to splunk and other logging via cribl