Skip to content

Latest commit

 

History

History
90 lines (51 loc) · 2.49 KB

README.md

File metadata and controls

90 lines (51 loc) · 2.49 KB
Raw

Splunk App for Vulture

The goal of this application is to provide a sourcetype for Splunk using the log of the WAF Vulture from the MongoDB Repository of the appliance This application provide you the same dashboard you can found on the appliance directly.

Vulture project : https://www.vultureproject.org/

Splunk - Installation

Connect to your splunk installation

create a index call "vulture"

cd $HOME_SPLUNK/etc/apps

wget https://github.com/b4b857f6ee/Vulture/archive/master.zip

unzip master.zip

mv Vulture-master/vulture ./

mv vulture Vulture

rm -rf Vulture-master/

chown splunk:splunk -R Vulture (only if your are using Splunk as splunk user and not root)

restart splunk

Create a new input (in my case port 9601 and UDP protocol you can change it)

Go to Settings -> Data inputs -> UDP -> Add New Select your port "9601" and the Source Type as vulture and the index as vulture

That's it for the Splunk configuration

Vulture Configuration

Log configuration

Connect to your vulture GUI Go to -> Repository -> Syslog -> Create new SyslogRepository with

Repository name "Splunk" Syslog server IP address "Your Splunk IP" Syslog server port number "9601" by default Syslog protocol "UDP" Syslog facility "local7" Syslog security level "info"

Go to -> Configuration Profiles -> Logs -> "Default Log Profile (Repo) Vulture Internal Database (MongoDBRepository)"

In Optional syslog repository "Select your SyslogRepositoryName"

Go to Applications -> Applications -> Click on your App to edit -> Logs

Log Profile "Select the MongoDB repository" Log Level "Error"

Restart your application, access to your website and you have to received your logs whan your access to your website.

Check the splunk index to be sure.

index=vulture

Release Notes

Version 1.2

Wrong upload from the version 1.1

Version 1.1

March 21, 2018

Splunk App for Vulture WAF

The goal of this application is to provide a sourcetype for Splunk using the log of the WAF Vulture from the MongoDB Repository of the appliance This application provide you the same dashboard you can found on the appliance directly.

Version : 1.1

Installation & support : https://github.com/b4b857f6ee/Vulture

About the Vulture project : https://www.vultureproject.org/

Releases notes 1.1

  • Adding the Search menu into the App.
  • Beginning the split sourcetype with vulture:log for web and vulture:filterlog for PacketFilter log aka pflog from the FreeBSD.
  • Modification of the Field by adding alias for the CIM Web Compliance.