-
Notifications
You must be signed in to change notification settings - Fork 334
Output to Splunk Stream (DSP)
The attack_range can be configured in order to forward any events indexed by the Splunk search head to a Splunk DSP set's of nodes.
- a DSP cluster with nodes listening on port 9997 which the attack_range network can reach
- a forwarder client key pair needs to be generated (example:
my_forwarder-keys.pem). Find more information on how to generate a forwarder client cert here: https://docs.splunk.com/Documentation/DSP/1.1.0/Data/Forwarder#Generate_a_client_certificate_for_the_DSP_Forwarders_service
To configure DSP in the attack range follow these steps:
- edit attack_range.conf
dsp_installparameters, toinstall_dsp = 1to enable DSP - edit attack_range.conf
dsp_nodeparameters, todsp_node = <ip_of_node1>,<ip_of_node2>,<ip_of_nodex>add nodes to forward data to. - edit attack_range.conf
dsp_client_cert_pathparameters, and include the path and file name relative to the attac_range folder of the certificate generated from these instructions. For exampledsp_client_cert_path = dsp-client-cert.pemwhen the file is underattack_range/dsp-client-cert.pem
example configuration section:
[dsp]
install_dsp = 1
# specify whether enable DSP output in Splunk or not
dsp_client_cert_path = attack_range-keys.pem
# specify the certificate path for the DSP client. A certificate must be generated using the following instructions:
# https://docs.splunk.com/Documentation/DSP/1.1.0/Data/Forwarder#Configure_your_forwarder_to_use_the_client_certificate
# specifically the path to the generated my_forwarder-keys.pem
dsp_node = 54.202.x.x,54.186.x.x
# specify a comma delimited list of DSP nodes to forward data to.
# Please verify that your attack_range network can connect to port 30001
Then just build an attack_range.
To get data to DSP, we simply place an outputs.conf file on the Splunk server configured to send data to the DSP nodes. Here is an example once deployed:
/opt/splunk/etc/apps/dsp_outputs_app$ cat local/outputs.conf
[tcpout]
defaultGroup=dsp
[tcpout:dsp]
server=54.201.x.x:9997,54.202.x.x:9997,
clientCert=/opt/splunk/etc/apps/dsp_outputs_app/client.pem
sslVerifyServerCert=false
useACK=true
indexAndForward = true
This application is needed to configure BA/DSP settings and to forward the generated certificate later.
scloudreleased can be downloaded here: https://github.com/splunk/splunk-cloud-sdk-go
As mentioned in requirements you need to generate forwarder client key pair certificate (example: my_forwarder-keys.pem) that will be forwarded in DSP and will be part of attack_range.conf.
Find more information on how to generate a forwarder client cert and forward it in DSP here: https://docs.splunk.com/Documentation/DSP/1.1.0/Data/Forwarder#Generate_a_client_certificate_for_the_DSP_Forwarders_service
In your splunk BA account, you need to follow the series of scloud commands to configure your BA with your token.
Below is the scloud configuration commands:
scloud config reset
scloud config set --key host-url --value https://research.api.staging.scs.splunk.com
scloud config set --key tenant --value research
scloud config set --key username --value splunk-email@splunk.com
scloud context set --tenant research --key access_token --value {Access Token}
scloud identity validate-token --tenant {tenant name}
notes:
-
splunk-email@splunk.comis your BA email user account -
{Access Token}is your access token that can also be seen insettingsmenu of the BA console. -
{tenant name}is the tenant where your account is registered.
4 Follow Attack Range Configuration mentioned earlier. attack_range.conf configuration
- The simple way to check this is by looking for the host name of the machine in your attack range that should be connected in BA example “win-dc-970”.
- Create or clone a pipeline for your testing. If you decided to create a pipeline choose “Data Stream Firehose”
- Then start to preview the created pipeline. If you saw the host machine name of your attack range, it means your attack range is successfully connected or sending a telemetry event to BA now.