Skip to content

Output to Splunk Stream (DSP)

tccontre edited this page Nov 23, 2021 · 28 revisions

The attack_range can be configured in order to forward any events indexed by the Splunk search head to a Splunk DSP set's of nodes.

Requirements

Configure

To configure DSP in the attack range follow these steps:

  1. edit attack_range.conf dsp_install parameters, to install_dsp = 1 to enable DSP
  2. edit attack_range.conf dsp_node parameters, to dsp_node = <ip_of_node1>,<ip_of_node2>,<ip_of_nodex> add nodes to forward data to.
  3. edit attack_range.conf dsp_client_cert_path parameters, and include the path and file name relative to the attac_range folder of the certificate generated from these instructions. For example dsp_client_cert_path = dsp-client-cert.pem when the file is under attack_range/dsp-client-cert.pem

example configuration section:

[dsp]
install_dsp = 1
# specify whether enable DSP output in Splunk or not

dsp_client_cert_path = attack_range-keys.pem
# specify the certificate path for the DSP client. A certificate must be generated using the following instructions:
# https://docs.splunk.com/Documentation/DSP/1.1.0/Data/Forwarder#Configure_your_forwarder_to_use_the_client_certificate
# specifically the path to the generated my_forwarder-keys.pem

dsp_node = 54.202.x.x,54.186.x.x
# specify a comma delimited list of DSP nodes to forward data to.
# Please verify that your attack_range network can connect to port 30001

Then just build an attack_range.

How does it work

To get data to DSP, we simply place an outputs.conf file on the Splunk server configured to send data to the DSP nodes. Here is an example once deployed:

/opt/splunk/etc/apps/dsp_outputs_app$ cat local/outputs.conf
[tcpout]
defaultGroup=dsp


[tcpout:dsp]
server=54.201.x.x:9997,54.202.x.x:9997,
clientCert=/opt/splunk/etc/apps/dsp_outputs_app/client.pem
sslVerifyServerCert=false
useACK=true
indexAndForward = true