All Apps and Add-ons

IP Reputation - default inputs.conf

Motivator

I'm rather confused by the default inputs.conf entry:

[monitor://$SPLUNK_HOME/etc/apps/honeypot_scoring/bin/score_lookup_log.txt]
disabled = false
followTail = 0
host = score_lookup_file
sourcetype = Honey_Pot_Scorelookup_Log

Is meant to be referencing a different app? I didn't see anything in splunk-base that would supply it.

0 Karma

Communicator

Hi Mike,

If you review the python lookup script you can see that there is some code commented out. If you remove the # the lookup script will create this file and log what it recieves from your splunk search and what values are given back.

This is how i track during development how the script is working, how many lookups are performed etc.

As it can produce a lot of data dependinc how many realtime lookups of ip's you are doing i did not emable it by default to aboid eating up any splunk license.

I might have should removed the input before doing the release.

Thanks for the hit. I'll consider this for a next update.

Also make sure you add IP Reputation as tag to your answer. This is how you question gets notized from me immiditly.

Happy splunking,

Matthias

0 Karma