Hi,
I need to make events I am receiving from a Modsecurity available and formatted for Splunk Enterprise Security. I have a distributed environment.
I know that I have to turn them into CIM, add tags, eventtype, extract fields, and create aliases.
Thank you very much.
Regrads.
If you follow the naming convention TA-foo
, ES will automatically load your TA.
Differently named TAs can be imported too, but there really is no need to deviate from the convention. http://docs.splunk.com/Documentation/ES/4.1.0/Install/InstallTechnologyAdd-ons#The_Update_ES_modular...
Thanks Martin,
I've created a new directory in $SPLUNK_HOME/etc/apps/TA-ltmodsec
I've created a directory $SPLUNK_HOME/etc/apps/TA-ltmodsec/default
and I created a trasforms.conf and a props.conf inside the default folder.
props.conf
[source::udp:10514]
TRANSFORMS-001_rewrite_modsecurity_sourcetype = set_sourcetype_modsecurity
[modsecurity]
EXTRACT-modsec-client = \[client\s(?P[^\]]+)\]
EXTRACT-accion = ^(?:[^\.\n]*\.){6}\d+\] ModSecurity:\s+(?P[^\[]+)\s+\[
EXTRACT-modsec_id = \[id \"(?P[^\"]+)"\]
transforms.conf
[set_sourcetype_modsecurity]
SOURCE_KEY = MetaData:Host
REGEX = (52\.86\.132\.70)
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::modsecurity
That didn't work.
When I move those files to $SPLUNK_HOME/etc/apps/search/local/ it works correctly.
Am I missing something in the addon I've created.
Thank you very much.
Regards.
There isn't much to miss. Create directory, create .conf file, restart Splunk, done.
Hi, Thanks for your reply.
So, after creating a custom TA, does Enterprise Security load it automatically, or I should do something for ES to load the TA?
Are there specifiations when creating the TA such as TA's name and configuration?
Thanks again.
Hi noybin - this might help:
http://docs.splunk.com/Documentation/ES/3.3.3/CreateTA/GenericExample
You don't need to create a TA specifically, you can modify the local props & transforms if you want. And you only need to make changes on the search head.
I usually just put any modifications into the local search app or local ES app. The full path would be something like:
/opt/splunk/etc/apps/search/local
props.conf/tags.conf/transforms.conf /etc.