Hai, I'm back.
today I will explain how to make an applications for Splunk, as an example I will used mod security2 ( because I cannot find apps for this -_-! so lets make it by your self ).
this is the example after I build my own apps for mod security2.
Next, First step. 1) We will make apps template provide by Splunk
Login to Splunk and go to
Manager-Apps-create apps
look like the image below
Fill the empty field like the image above, or you can put everything you want
2) After the template has been created, you should preparing the tools
go to /opt/splunk/etc/apps
here we have 5 files, for configuration, you can find the explanation for each files at
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Whatsinthismanual
and type on the"search" :-)
indexes.conf
inputs.conf
props.conf
savedsearches.conf
transforms.conf
3) Modify the navigation menus
modify this
became this
4) touch /opt/splunk/etc/apps/mod_security2/local/viewstates.conf if that file not there.
fill with this
5) Restart Splunk services
6) Login to Splunk again, and try to accessing your mod security apss.
today I will explain how to make an applications for Splunk, as an example I will used mod security2 ( because I cannot find apps for this -_-! so lets make it by your self ).
this is the example after I build my own apps for mod security2.
Next, First step. 1) We will make apps template provide by Splunk
Login to Splunk and go to
Manager-Apps-create apps
look like the image below
Fill the empty field like the image above, or you can put everything you want
2) After the template has been created, you should preparing the tools
go to /opt/splunk/etc/apps
[root@localhost ~]# cd /opt/splunk/etc/apps [root@localhost apps]# cd mod_security2/default [root@localhost default]# touch {indexes.conf,inputs.conf,props.conf,savedsearches.conf,transforms.conf}
here we have 5 files, for configuration, you can find the explanation for each files at
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Whatsinthismanual
and type on the"search" :-)
indexes.conf
# Copyright (C) 2005-2011 Splunk Inc. All Rights Reserved. Version 4.2.4 # Creates a sample index for sample data. [modsec] homePath = $SPLUNK_DB/modsec/db coldPath = $SPLUNK_DB/modsec/colddb thawedPath = $SPLUNK_DB/modsec/thaweddb
inputs.conf
# Copyright (C) 2005-2011 Splunk Inc. All Rights Reserved. Version 4.2.4 # Creates an input for sample data. [monitor:///var/log/httpd/modsec_audit.log] index=modsec source=mod_security sourcetype=modsec
props.conf
[modsec] TRUNCATE = 0 SHOULD_LINEMERGE = true BREAK_ONLY_BEFORE = (--[a-z0-9]+-A--) REPORT-get = get REPORT-post = post REPORT-severity = severity REPORT-msg = msg REPORT-error = error REPORT-ipsrc = ipsrc REPORT-tagid = tagid
savedsearches.conf
[default] disabled = 0 [All Status] enableSched = 0 search = index=modsec sourcetype="modsec" sev_stat="*" tagid_stat="*" ipsrc_stat="*" msg_stat="*" dispatch.earliest_time = -4d vsid = *:guuvw49b [Severity Status] enableSched = 0 search = index=modsec sourcetype="modsec" | top sev_stat limit=1000 dispatch.earliest_time = -7d@d vsid = *:guuvw49b [HTTP/GET Status] enableSched = 0 search = index=modsec sourcetype="modsec" | top ms_get limit=1000 dispatch.earliest_time = -7d@d vsid = *:guuvw49b [HTTP/POST Status] enableSched = 0 search = index=modsec sourcetype="modsec" | top ms_post limit=1000 dispatch.earliest_time = -7d@d vsid = *:guuvw49b [HTTP Error Status] enableSched = 0 search = index=modsec sourcetype="modsec" | top error_stat limit=1000 dispatch.earliest_time = -7d@d vsid = *:guuvw49b [Vulnerability Message] enableSched = 0 search = index=modsec sourcetype="modsec" | top msg_stat limit=1000 dispatch.earliest_time = -7d@d vsid = *:guuvw49b [IP Source Status] enableSched = 0 search = index=modsec sourcetype="modsec" | top ipsrc_stat limit=1000 dispatch.earliest_time = -7d@d vsid = *:guuvw49b [Vulnerability Status] enableSched = 0 search = index=modsec sourcetype="modsec" | top tagid_stat limit=1000 dispatch.earliest_time = -7d@d vsid = *:guuvw49b [HTTP Error Message] action.email.reportServerEnabled = 0 alert.suppress = 0 alert.track = 0 dispatch.earliest_time = -7d@d dispatch.latest_time = now displayview = report_builder_display request.ui_dispatch_view = report_builder_display search = index=modsec sourcetype="modsec" | top error_stat limit="100" vsid = *:gv3j8amu
transforms.conf
[get] REGEX = (GET.+?)$ FORMAT = ms_get::$1 [post] REGEX = (POST.+?)$ FORMAT = ms_post::$1 [severity] REGEX = (severity)."(.+?)"\] FORMAT = sev_stat::$2 [msg] REGEX = \[(msg)."(.+?)"\] FORMAT = msg_stat::$2 [error] REGEX = (HTTP/....[45]0[0-5]\s\w{1,}.*) FORMAT = error_stat::$1 [ipsrc] REGEX = 0\]\s{1}\w{1,}\s{1}(\d+\.\d+\.\d+\.\d+)? FORMAT = ipsrc_stat::$1 [tagid] REGEX = tag\s"(\w{1,}.+?)"\] FORMAT = tagid_stat::$1
3) Modify the navigation menus
[root@localhost default]# vim ../local/data/ui/nav/default.xml
modify this
became this
4) touch /opt/splunk/etc/apps/mod_security2/local/viewstates.conf if that file not there.
fill with this
[*:guuvw49b] AxisScaleFormatter_0_9_0.default = "" ChartTypeFormatter_0_4_0.default = bar Count_0_3_0.default = 10 DataOverlay_0_5_0.dataOverlayMode = none DataOverlay_0_5_0.default = none FlashChart_0_4_1.height = 300px LegendFormatter_0_10_0.default = top LineMarkerFormatter_0_7_0.default = false NullValueFormatter_0_9_0.default = gaps SplitModeFormatter_0_8_0.default = false StackModeFormatter_0_7_0.default = default XAxisTitleFormatter_0_6_1.default = tagid_stat YAxisRangeMaximumFormatter_0_8_0.default = "" YAxisRangeMinimumFormatter_0_7_0.default = "" YAxisTitleFormatter_0_6_2.default = Frequency [*:gv3fqc6l] AxisScaleFormatter_0_9_0.default = "" ChartTypeFormatter_0_4_0.default = area Count_0_3_0.default = 10 DataOverlay_0_5_0.dataOverlayMode = none DataOverlay_0_5_0.default = none FlashChart_0_4_1.height = 300px LegendFormatter_0_10_0.default = top LineMarkerFormatter_0_7_0.default = false NullValueFormatter_0_9_0.default = gaps SplitModeFormatter_0_8_0.default = false StackModeFormatter_0_7_0.default = default XAxisTitleFormatter_0_6_1.default = time YAxisRangeMaximumFormatter_0_8_0.default = "" YAxisRangeMinimumFormatter_0_7_0.default = "" YAxisTitleFormatter_0_6_2.default = count of events [*:gv3j8amu] AxisScaleFormatter_0_9_0.default = "" ChartTitleFormatter_0_6_0.default = HTTP Error Message ChartTypeFormatter_0_4_0.default = pie Count_0_3_0.default = 10 DataOverlay_0_5_0.dataOverlayMode = none DataOverlay_0_5_0.default = none FlashChart_0_4_1.height = 300px LegendFormatter_0_10_0.default = right LineMarkerFormatter_0_7_0.default = false NullValueFormatter_0_9_0.default = gaps SplitModeFormatter_0_8_0.default = false StackModeFormatter_0_7_0.default = default XAxisTitleFormatter_0_6_1.default = error_stat YAxisRangeMaximumFormatter_0_8_0.default = "" YAxisRangeMinimumFormatter_0_7_0.default = "" YAxisTitleFormatter_0_6_2.default = Frequency
5) Restart Splunk services
[root@localhost ~]# /opt/splunk/bin/splunk restart
6) Login to Splunk again, and try to accessing your mod security apss.
Comments
Post a Comment