dpicollege
commented
7 years ago i am very interesting for sending fibratus output to splunk. may i have it this week or i should wait more?
Open dpicollege opened 7 years ago
dpicollege
commented
7 years ago i am very interesting for sending fibratus output to splunk. may i have it this week or i should wait more?
rabbitstack
commented
7 years ago My plate is pretty full this month and I have no experience with the Splunk's API. Can you take a look at the documentation to help me figure out which endpoints should be used to send the data?
dpicollege
commented
7 years ago yes sure. but as my experience I suggest to save data in disk and anyone can send data to any SIEM. can read the data and forward it to their env. the format of file can be txt or csv and also it's better to have structure for example like this
2016-12-12T 03:28:50.458945 registery="close.x", dest="**", transport="tcp", dest_port="", src="**", src_port="57410", file="open.x"
if it's hard just make a modules to send log data to syslog server like amqp and elasticsearch (both great)
Description
This task should tackle the implementation of the Splunk output. Events should be shipped to the Splunk HEC (HTTP event collector). For borrowing ideas, see the reference link for the implementation of the Splunk sink in Vector.
Prior art
https://github.com/timberio/vector/blob/master/src/sinks/splunk_hec.rs