-
Notifications
You must be signed in to change notification settings - Fork 363
Output to Splunk Stream (DSP)
The attack_range can be configured in order to forward any events indexed by the Splunk search head to a Splunk DSP set's of nodes.
- a DSP cluster with nodes listening on port 9997 which the attack_range network can reach
- a forwarder client key pair needs to be generated (example:
my_forwarder-keys.pem
). Find more information on how to generate a forwarder client cert here: https://docs.splunk.com/Documentation/DSP/1.1.0/Data/Forwarder#Generate_a_client_certificate_for_the_DSP_Forwarders_service
To configure DSP in the attack range follow these steps:
- edit attack_range.conf
dsp_install
parameters, toinstall_dsp = 1
to enable DSP - edit attack_range.conf
dsp_node
parameters, todsp_node = <ip_of_node1>,<ip_of_node2>,<ip_of_nodex>
add nodes to forward data to. - edit attack_range.conf
dsp_client_cert_path
parameters, and include the path and file name relative to the attac_range folder of the certificate generated from these instructions. For exampledsp_client_cert_path = dsp-client-cert.pem
when the file is underattack_range/dsp-client-cert.pem
example configuration section:
[dsp]
install_dsp = 1
# specify whether enable DSP output in Splunk or not
dsp_client_cert_path = attack_range-keys.pem
# specify the certificate path for the DSP client. A certificate must be generated using the following instructions:
# https://docs.splunk.com/Documentation/DSP/1.1.0/Data/Forwarder#Configure_your_forwarder_to_use_the_client_certificate
# specifically the path to the generated my_forwarder-keys.pem
dsp_node = 54.202.x.x,54.186.x.x
# specify a comma delimited list of DSP nodes to forward data to.
# Please verify that your attack_range network can connect to port 30001
Then just build an attack_range.
To get data to DSP, we simply place an outputs.conf
file on the Splunk server configured to send data to the DSP nodes. Here is an example once deployed:
/opt/splunk/etc/apps/dsp_outputs_app$ cat local/outputs.conf
[tcpout]
defaultGroup=dsp
[tcpout:dsp]
server=54.201.x.x:9997,54.202.x.x:9997,
clientCert=/opt/splunk/etc/apps/dsp_outputs_app/client.pem
sslVerifyServerCert=false
useACK=true
indexAndForward = true
This application is needed to configure BA/DSP settings and to forward the generated certificate later.
scloud
released can be downloaded here: https://github.com/splunk/splunk-cloud-sdk-go
As mentioned in requirements
you need to generate forwarder client key pair certificate (example: my_forwarder-keys.pem
) that will be forwarded in DSP and will be part of attack_range.conf
.
Find more information on how to generate a forwarder client cert and forward it in DSP here: https://docs.splunk.com/Documentation/DSP/1.1.0/Data/Forwarder#Generate_a_client_certificate_for_the_DSP_Forwarders_service
In your splunk BA account, you need to follow the series of scloud
commands to configure your BA with your token.
Below is the scloud configuration commands:
scloud config reset
scloud config set --key host-url --value https://research.api.staging.scs.splunk.com
scloud config set --key tenant --value research
scloud config set --key username --value splunk-email@splunk.com
scloud context set --tenant research --key access_token --value {Access Token}
scloud identity validate-token --tenant {tenant name}
notes:
-
splunk-email@splunk.com
is your BA email user account -
{Access Token}
is your access token that can also be seen insettings
menu of the BA console. -
{tenant name}
is the tenant where your account is registered.
4 Follow Attack Range Configuration mentioned earlier. attack_range.conf configuration
- The simple way to check this is by looking for the host name of the machine in your attack range that should be connected in BA example “win-dc-970”.
- Create or clone a pipeline for your testing. If you decided to create a pipeline choose “Data Stream Firehose”
- Then start to preview the created pipeline. If you saw the host machine name of your attack range, it means your attack range is successfully connected or sending a telemetry event to BA now.