Splunk

OpenBSD does not provide many good options for shipping logs to a remote destination. Well known solutions like Fluentd, fluent-bit, Cribl, etc are just not (yet) available :( In this blog post I describe how I’m shipping Zeeks logs from my firewall using Rsyslog into my logging infrastructure which currently consists of Cribl and Splunk running on Linux VM’s. Enable JSON logging in Zeek The default TSV logging format of Zeek is fine when working with the logs locally with tools like cat, grep and zeek-cut. But when forwarding logs to a SIEM I prefer to use the JSON format. To make Zeek create logs in JSON you have to load the json-logs module in the site local configuration. ...

Sometimes you just need a quick solution for having a custom form in a Splunk dashboard. So this short blogpost will showcase how to create the HTML form and custom submit button using Javascript. ...

Sometimes you need to have multiple time widgets in a single Splunk dashboard, the scenario I encountered was for a global SOC operation. The solution provided here handles displaying local time using just a timezone parameter. As a bonus; it automatically handles daylight time savings too :-) ...

I needed to on-board the Linux system logs of all my homelab systems into Splunk. Apparantly I haven’t been paying attention… but only now I noticed that in EL8 (CentOS in my case) rsyslog is not even installed by default. So that prompted me to finally take a closer look into journald, this resulted in a very simple Splunk TA that can be deployed to any Splunk instance to ingest the journald logs. ...