Open V1D1AN opened 6 years ago
did you configure your props.conf to match exactly the sourcetypes where MISP must match?
The CSV are automatically imported over all sourcetypes, which is fine to check this is working, but I would avoid this in production environment.
Do you see fields created starting with misp_?
Thanks!
Thanks for you reponse, Splunk download nothing... I have [input_misp://misp] interval = 60 misp_url = http://192.168.56.50 (adresse private virtualbox) automation_key = JNq.....................
If i do a "ngrep" on the interface of my MISP.. I see all the IOC but nothing in "/opt/splunk/etc/apps/TA-misp-master/lookups/"
Can you share with me the logs you see in the MISP App? There is a "Log" menu.
I have nothing in the log application (Audit/Search logs)..
If i search in "/var/log/apache2/misp.local_access.log" , i have logs when i restart the splunk:
192.168.56.101 - - [03/Jan/2018:20:31:22 +0100] "GET /servers/getPyMISPVersion.json HTTP/1.1" 200 296 "-" "PyMISP 2.4.80.1 - Python 2.7.13" 192.168.56.101 - - [03/Jan/2018:20:31:22 +0100] "GET /attributes/describeTypes.json HTTP/1.1" 200 17365 "-" "PyMISP 2.4.80.1 - Python 2.7.13" 192.168.56.101 - - [03/Jan/2018:20:31:22 +0100] "POST /events/restSearch/download HTTP/1.1" 200 60404551 "-" "PyMISP 2.4.80.1 - Python 2.7.13"
192.168.56.50 is MISP 192.168.56.101 is SPLUNK
I am talking about the logs you can search from splunk typing:
index=_internal misp log_level=INFO component=ExecProcessor "message from"
Excuse me ..
01-04-2018 13:22:36.151 +0100 INFO ExecProcessor - message from "python /opt/splunk/etc/apps/TA-misp-master/bin/input_misp.py" MISP Events created, now creating lookups | |
---|---|
01-04-2018 13:22:36.146 +0100 INFO ExecProcessor - message from "python /opt/splunk/etc/apps/TA-misp-master/bin/input_misp.py" MISP objects collected, creating events | |
01-04-2018 13:22:26.084 +0100 INFO ExecProcessor - message from "python /opt/splunk/etc/apps/TA-misp-master/bin/input_misp.py" Downloading MISP objects for the first time. It will take a while. | |
01-04-2018 13:22:24.461 +0100 INFO ExecProcessor - message from "python /opt/splunk/etc/apps/TA-misp-master/bin/input_misp.py" Events are streamed every 142 minutes | |
01-04-2018 13:22:24.461 +0100 INFO ExecProcessor - message from "python /opt/splunk/etc/apps/TA-misp-master/bin/input_misp.py" Streaming events for MISP modular input | |
01-03-2018 20:41:25.407 +0100 INFO ExecProcessor - message from "python /opt/splunk/etc/apps/TA-misp-master/bin/input_misp.py" MISP Events created, now creating lookups | |
01-03-2018 20:41:25.399 +0100 INFO ExecProcessor - message from "python /opt/splunk/etc/apps/TA-misp-master/bin/input_misp.py" MISP objects collected, creating events | |
01-03-2018 20:40:56.136 +0100 INFO ExecProcessor - message from "python /opt/splunk/etc/apps/TA-misp-master/bin/input_misp.py" Downloading MISP objects for the first time. It will take a while. | |
01-03-2018 20:40:55.635 +0100 INFO ExecProcessor - message from "python /opt/splunk/etc/apps/TA-misp-master/bin/input_misp.py" Events are streamed every 142 minutes | |
01-03-2018 20:40:55.635 +0100 INFO ExecProcessor - message from "python /opt/splunk/etc/apps/TA-misp-master/bin/input_misp.py" Streaming events for MISP modular input |
But I have nothing ....
OK, I will add much more logging info to understand the problem.
I wait your update... Ou communiquer en francais pour que ce soit plus rapide ;)
Hi seb,
I have a problem when i look in the logs,
Info.csv being bloated by "lookup" log messages . Will not log additional errors. Refer search.log The lookup table 'AS.csv' does not exist. It is referenced by configuration '(?i)source::....zip(.\d+)?'. The lookup table 'AS.csv' does not exist. It is referenced by configuration 'ActiveDirectory'. The lookup table 'domain.csv' does not exist. It is referenced by configuration '(?i)source::....zip(.\d+)?'. ....
I must import all the CSV in /opt/splunk/etc/apps/TA-misp-master/lookups/ ????