-
Notifications
You must be signed in to change notification settings - Fork 38
Splunk Configuration
Splunk's default configuration can cause data loss or indexing issues when using saf convert hdf2splunk
.
In order to use hdf2splunk
, you have to update your Splunk service in a few places.
- Update your Spunk Server to support the larger data requirements of HDF files
- Setup SSL so
hdf2splunk
can securely transmit your data
NOTE To run Splunk from a docker container references Splunk in Docker
limits.conf docs
[kv]
limit = 10000000
maxchars = 1000000
props.conf docs
[HDF2Splunk]
SHOULD_LINEMERGE = false
EVENT_BREAKER_ENABLE = true
EVENT_BREAKER = ([\n]+)
TRUNCATE = 0
If you have loaded HDF into Splunk without configuring EVENT_BREAKER, it will be unreadable from Heimdall.
To remove it, execute the query index="<YOUR INDEX> meta.subtype="header" | delete
. Note that this is a destructive action, and will remove anything that is returned by this query.
These setup instructions have been tested on AWS AMI provided by Splunk running Amazon Linux 2.
Note: changes to web.conf
are optional and are not required for hdf2splunk
to be able to transmit data securely. The purpose of the modifications to the web.conf
is to enable viewing of the Splunk GUI securely on the default port 8000
. Configuration update to the server.conf
serves the certificate on the Management Port 8089
and required for hdf2splunk
to transmit your data securely.
Replace $YOUR_FQDN_HERE with FQDN for the Splunk Host
sudo yum update ca-certificates -y
sudo yum install https://cdn.amazonlinux.com/patch/ca-certificates-update-2021-09-30/ca-certificates-2021.2.50-72.amzn2.0.1.noarch.rpm -y
sudo wget -r --no-parent -A 'epel-release-*.rpm' https://dl.fedoraproject.org/pub/epel/7/x86_64/Packages/e/
sudo rpm -Uvh dl.fedoraproject.org/pub/epel/7/x86_64/Packages/e/epel-release-*.rpm
sudo yum-config-manager --enable epel*
sudo amazon-linux-extras install epel -y
sudo yum install -y certbot
sudo yum update -y
sudo cd /etc/pki/tls/certs
sudo ./make-dummy-cert localhost.crt
sudo certbot -d $YOUR_FQDN_HERE --standalone certonly
sudo mkdir /opt/splunk/etc/auth/$YOUR_FQDN_HERE
sudo cd /etc/letsencrypt/live/$YOUR_FQDN_HERE/
sudo cp fullchain.pem privkey.pem /opt/splunk/etc/auth/$YOUR_FQDN_HERE/
sudo cat /etc/letsencrypt/live/$YOUR_FQDN_HERE/cert.pem /etc/letsencrypt/live/$YOUR_FQDN_HERE/privkey.pem /etc/letsencrypt/live/$YOUR_FQDN_HERE/fullchain.pem > /opt/splunk/etc/auth/$YOUR_FQDN_HERE/myCombinedServerCertificate.pem
sudo chown -R splunk:splunk /opt/splunk/etc/auth/$YOUR_FQDN_HERE
web.conf docs
[settings]
enableSplunkWebSSL = 1
privKeyPath = /opt/splunk/etc/auth/$YOUR_FQDN_HERE/privkey.pem
caCertPath = /opt/splunk/etc/auth/$YOUR_FQDN_HERE/fullchain.pem
server.conf docs
[general]
serverName = $YOUR_FQDN_HERE
[httpServer]
crossOriginSharingPolicy = *
crossOriginSharingHeaders = *
disabled = 0
[sslConfig]
sslVersions = tls1.2
sslVersionsForClient = tls1.2
cipherSuite = HIGH:!aNULL:!MD5:!3DES:!CAMELLIA:!AES128
useClientSSLCompression = false
allowSslCompression = false
serverCert = /opt/splunk/etc/auth/$YOUR_FQDN_HERE/myCombinedServerCertificate.pem
sslRootCAPath = /opt/splunk/etc/auth/$YOUR_FQDN_HERE/fullchain.pem
sendStrictTransportSecurityHeader = true
Restart Splunk
Streamline security automation for systems and DevOps pipelines with the SAF CLI
- Home
- How to create a release
- Splunk Configuration
- Supplement HDF Configuration
- Validation with Thresholds
- SAF CLI Delta Process
- Mapper Creation Guide for HDF Converters
- How to create a SAF CLI
- How to recommend development of a mapper
- Use unreleased version of a package from the Heimdall monorepo in the SAF CLI
- Troubleshooting