Splunk Enterprise

How do I access CLI via AMI/PCAP Upload?

RedMelon
New Member

Hi all,

I require access to the CLI and am using splunk Enterprise AMI, any help would be apperacited. 

Alternatively if anyone has any ideas on how I can do the following It would be greatly greatly appreactited.

I have a large amount of PCAP files for ingestion by splunk, there seems to be a file size limit when uploading my merged PCAPS so i am left with the problem of trying to upload 1000+ PCAPS which would be a painstaking long process done manually, a workaround is through the CLI however I can not access it.

This is for a university project and any help would be appreciated, thanks for reading!

Tags (5)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

Please be a bit more precise. You need a CLI access to what? If I remember correctly, access to your VMs should be managed by the AWS mechanisms (haven't worked with that a while but I think it's your or your infrastructure team's responsibility to make sure you have access to remote shell.

About uploading PCAP-s - what would you want to do with PCAP files on Splunk? Splunk is not a network traffic analyzing software? You could upload pcaps if you had Splunk Stream installed but that's another story - do you have Stream installed?

0 Karma

RedMelon
New Member

Hi there, 

I need CLI to make the ingesting of the PCAPS plausible. I have to manually upload them one at a time however using the CLI I can ingest them in mass.

I'm following this documentation

stream is installed and I can and have uploaded individual PCAPS but the sheer amount I need to upload makes that method not plausible. I plan to use splunk to detect malicious beaconing traffic inside these PCAPS, via some rules I'll make.

But with the AMI I'm struggling to access the CLI.

 

If anyone has a answer for either:

how do I access the CLI on the AMI version of Splunk Enterprise?

Uploading large file sized PCAPS, alternative ways to upload this traffic?

 

Any help would be greatly appreciated. 

0 Karma

PickleRick
SplunkTrust
SplunkTrust

It's more an AWS issue than Splunk problem as such.

Check out the docs at https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/connection-prereqs.html

The Splunk AMI is based on Amazon-Linux so most probably you're gonna be connecting to ec2-user

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...