search

pwnlandia / mhn-splunk

Modern Honey Network App for Splunk
GNU Lesser General Public License v2.1
50 stars 15 forks source link

Setup source localization #2

Open kuse69 opened 8 years ago

kuse69 commented 8 years ago

Hello masters, where I should setup my remote MHN IP and port to be read by this app. Or I need configure it in the own MHN directory /opt/hpfeeds-logger/splunk.json?

Thanks!

jatrost commented 8 years ago

Most MHN installs will install splunk on the same box as MHN unless they already have splunk deployed somewhere else. If you have splunk deployed somewhere else, then use the IP/port of that system. Otherwise use localhost and 9997.

On Mon, May 23, 2016 at 4:10 AM, kuse69 notifications@github.com wrote:

Hello masters, where I should setup my remote MHN IP and port to be read by this app. Or I need configure it in the own MHN directory /opt/hpfeeds-logger/splunk.json?

Thanks!

— You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub https://github.com/threatstream/mhn-splunk/issues/2

Jason Trost | VP of Threat Research | www.anomali.com 2317 Broadway, 3rd Floor| Redwood City, CA 94063 Phone: 386.235.0078 | Twitter: @jason_trost

kuse69 commented 8 years ago

Thank you Mr Trost, I configured a new Splunk receive data over port 9997 and, in the remote MHN machine, I have modified the file /opt/hpfeeds-logger/splunk.json with Splunk IP address and port 9997. Even so, the MHN app still reading data from 127.0.0.1. Where I should make the changes?

jatrost commented 8 years ago

So you configured the splunk universal forwarder to forward to 127.0.0.1 9997? And splunk is listening for this? This is something you need to enable in Splunk.

On Mon, May 23, 2016 at 2:57 PM, kuse69 notifications@github.com wrote:

Thank you Mr Trost, I configured a new Splunk receive data over port 9997 and, in the remote MHN machine, I have modified the file /opt/hpfeeds-logger/splunk.json with Splunk IP address and port 9997. Even so, the MHN app still reading data from 127.0.0.1. Where I should make the changes?

— You are receiving this because you commented. Reply to this email directly or view it on GitHub https://github.com/threatstream/mhn-splunk/issues/2#issuecomment-221057722

Jason Trost | VP of Threat Research | www.anomali.com 2317 Broadway, 3rd Floor| Redwood City, CA 94063 Phone: 386.235.0078 | Twitter: @jason_trost

kuse69 commented 8 years ago

Yes (at least I think it). In the attached image, at right side the Splunk server configuration and the opened port (9997), at left side my remote MHS server. Nevertheless, I still no receiving any data.
splunkconf

jatrost commented 8 years ago

splunk.json is used to configure a process that connects to your hpfeed broker and then logs to a file locally. The host and port in this file should likely be localhost 10000.

We use the splunk universal forwarder to consume the local file mhn-splunj.log and then send the data to splunk. Make sure this has been configured. Here are the commands that need to be run if you don't have this setup already. SPLUNK_PORT is 9997.

cd /opt/mhn/scripts/ sudo ./install_splunk_universalforwarder.sh

On Thu, May 26, 2016 at 3:09 AM, kuse69 notifications@github.com wrote:

Yes (at least I think it). In the attached image, at right side the Splunk server configuration and the opened port (9997), at left side my remote MHS server. Nevertheless, I still no receiving any data.

[image: splunkconf] https://cloud.githubusercontent.com/assets/19527173/15566310/7124b1ec-2320-11e6-910e-f4fac14b9318.jpg

— You are receiving this because you commented. Reply to this email directly or view it on GitHub https://github.com/threatstream/mhn-splunk/issues/2#issuecomment-221794355

Jason Trost | VP of Threat Research | www.anomali.com 2317 Broadway, 3rd Floor| Redwood City, CA 94063 Phone: 386.235.0078 | Twitter: @jason_trost

Zynthesist commented 7 years ago

I am having a similar issue. I have my MHN server set up on one machine and Splunk in another. I have added the IP of the machine which is running Splunk and the port 9997, which I enabled in Splunk as well and I am not getting any data sent to Splunk.

cd /opt/mhn/scripts/ sudo ./install_splunk_universalforwarder.sh 1.2.3.4 9997

I do see that the MHN server has splunk running, I think it is trying to use the Splunk within in the MHN server, which I do not want that, I want to use Splunk in another box and have MHN send data there.

Also checked /var/log/mhn/mhn-splunl.log and it is capturing the events from hpfeeds.

Any help you can provide is greatly appreciated.

Thanks for all your great work with this project!