fibratus icon indicating copy to clipboard operation
fibratus copied to clipboard

Published 20 hours ago verified publisher icon rabbitstack

Splunk output

Open dpicollege opened this issue 9 years ago • 3 comments

Description

This task should tackle the implementation of the Splunk output. Events should be shipped to the Splunk HEC (HTTP event collector). For borrowing ideas, see the reference link for the implementation of the Splunk sink in Vector.

Prior art

https://github.com/timberio/vector/blob/master/src/sinks/splunk_hec.rs

dpicollege avatar Nov 30 '16 08:11 dpicollege

i am very interesting for sending fibratus output to splunk. may i have it this week or i should wait more?

dpicollege avatar Dec 11 '16 19:12 dpicollege

My plate is pretty full this month and I have no experience with the Splunk's API. Can you take a look at the documentation to help me figure out which endpoints should be used to send the data?

rabbitstack avatar Dec 11 '16 20:12 rabbitstack

yes sure. but as my experience I suggest to save data in disk and anyone can send data to any SIEM. can read the data and forward it to their env. the format of file can be txt or csv and also it's better to have structure for example like this

2016-12-12T 03:28:50.458945 registery="close.x", dest="", transport="tcp", dest_port="", src="****", src_port="57410", file="open.x"

if it's hard just make a modules to send log data to syslog server like amqp and elasticsearch (both great)

dpicollege avatar Dec 12 '16 08:12 dpicollege