Logger Indexes problem with ThreatHunting App/Fix

[jsecurity101]

Issue: Olaf's Threat Hunting App doesn't collect any data upon initial build. Macros.conf & Indexes.conf are inconsistent than what - https://github.com/clong/DetectionLab/tree/master/Vagrant/resources/splunk_server has on it. It is not pulling from this on the initial build.

Fix:

• change internal logger macros.conf to match -https://github.com/clong/DetectionLab/tree/master/Vagrant/resources/splunk_server/macros.conf
• change internal indexes.conf to match - https://github.com/olafhartong/ThreatHunting/blob/master/default/indexes.conf

Data will flow after this. Again, thank you for all the help/work you constantly put in this. It is much appreciated!

[clong]

Hey @jsecurity101 - thanks for the report! Can you specify in a bit more detail which parts are inaccurate? I took a (albeit very quick) stab at updating the macros.conf when I first added the app, but I don't think I've looked at the indexes.conf.

The macros.conf gets copied over to Splunk here: https://github.com/clong/DetectionLab/blob/master/Vagrant/bootstrap.sh#L90

Are the values inside of the macros.conf inaccurate or maybe I'm putting it in the wrong spot?

[jsecurity101]

Hey @clong Your macros.conf from your github are correct. Although in the logger they weren't being pulled down to be locally. If you look in /opt/splunk/etc/apps/ThreatHunting/default - the macros.conf in there is different then on your github, in the resources/splunk_server.

The indexes.conf might work, I just used Olaf's when fixing the app, but if you would like me to test with your indexes.conf I can do that for you not a problem!

[clong]

@jsecurity101 Ah, so in Splunk the /local directory overrides what's in default. You're actually not supposed to overwrite files in /default:

Important: Never change, copy, or move the configuration files that are in the default directory. Default files must remain intact and in their original location. To change settings for a particular configuration file, you must first create a new version of the file in a non-default directory and then add the settings that you want to change. When you first create this new version of the file, start with an empty file. Do not start from a copy of the file in the default directory. For information on the directories where you can manually change configuration files, see Configuration file directories.

https://docs.splunk.com/Documentation/Splunk/7.2.4/Admin/Aboutconfigurationfiles

As for the indexes.conf, let me take a closer look at that and see if it needs fixing (and it looks like it does)

[jsecurity101]

@clong FYI this was what my Splunk TH App Dashboard was showing after a clean build:

This MAY or MAY NOT be related to this error, that I was seeing when I was building the logger:

However, after fixing the macros.conf / indexes.conf I am now getting data:

I hope this helps, thank you so much.

[clong]

Got it! Did you make any changes to macros.conf or did you just put it in the default directory? If you made any changes to either file, would you mind sharing them here in a comment so I can test? I'm currently looking at this now

[clong]

Oh man, I see the problem. There is no "local" directory in the app (maybe it disappeared after the upgrade?) and the macros.conf is getting saved as a file named local. That's not gonna work! Testing a fix now.

[jsecurity101]

1. Inside of the default directory, I changed the macros.conf to match this: https://github.com/clong/DetectionLab/blob/master/Vagrant/resources/splunk_server/macros.conf

2. Also inside of the default directory I changed the indexes.conf to match this: https://github.com/olafhartong/ThreatHunting/blob/master/default/indexes.conf

So, your macros.conf on github IS correct, the only problem is that when the logger is done being built, the macros.conf file on the logger does not match the macros.conf from the github (again, which is the correct file).