-
Notifications
You must be signed in to change notification settings - Fork 356
Output to Splunk Stream (DSP)
tccontre edited this page Nov 23, 2021
·
28 revisions
The attack_range can be configured in order to forward any events indexed by the Splunk search head to a Splunk DSP set's of nodes.
- a DSP cluster with nodes listening on port 9997 which the attack_range network can reach
- a forwarder client key pair needs to be generated (example:
my_forwarder-keys.pem). Find more information on how to generate a forwarder client cert here: https://docs.splunk.com/Documentation/DSP/1.1.0/Data/Forwarder#Generate_a_client_certificate_for_the_DSP_Forwarders_service
####1. Generate your Certificate
The first step is to generate a forwarder client key pair certificate (example: my_forwarder-keys.pem).
Find more information on how to generate a forwarder client cert here: https://docs.splunk.com/Documentation/DSP/1.1.0/Data/Forwarder#Generate_a_client_certificate_for_the_DSP_Forwarders_service
To configure DSP in the attack range follow these steps:
- edit attack_range.conf
dsp_installparameters, toinstall_dsp = 1to enable DSP - edit attack_range.conf
dsp_nodeparameters, todsp_node = <ip_of_node1>,<ip_of_node2>,<ip_of_nodex>add nodes to forward data to. - edit attack_range.conf
dsp_client_cert_pathparameters, and include the path and file name relative to the attac_range folder of the certificate generated from these instructions. For exampledsp_client_cert_path = dsp-client-cert.pemwhen the file is underattack_range/dsp-client-cert.pem
example configuration section:
[dsp]
install_dsp = 1
# specify whether enable DSP output in Splunk or not
dsp_client_cert_path = attack_range-keys.pem
# specify the certificate path for the DSP client. A certificate must be generated using the following instructions:
# https://docs.splunk.com/Documentation/DSP/1.1.0/Data/Forwarder#Configure_your_forwarder_to_use_the_client_certificate
# specifically the path to the generated my_forwarder-keys.pem
dsp_node = 54.202.x.x,54.186.x.x
# specify a comma delimited list of DSP nodes to forward data to.
# Please verify that your attack_range network can connect to port 30001
Then just build an attack_range.
To get data to DSP, we simply place an outputs.conf file on the Splunk server configured to send data to the DSP nodes. Here is an example once deployed:
/opt/splunk/etc/apps/dsp_outputs_app$ cat local/outputs.conf
[tcpout]
defaultGroup=dsp
[tcpout:dsp]
server=54.201.x.x:9997,54.202.x.x:9997,
clientCert=/opt/splunk/etc/apps/dsp_outputs_app/client.pem
sslVerifyServerCert=false
useACK=true
indexAndForward = true