Splunk Interface Guide

Heimdall^© can sync with Splunk indices as data sources.

Login via Heimdall^©

Accessing a Splunk instance from Heimdall^© requires the input of the following information:

• username: A qualified username recognized by the referenced Splunk instance.
• password: A qualified password recognized by the referenced Splunk instance.
• hostname: The domain name for the desired Splunk instance. Include port number if available.
• index: A valid index name within the referenced Splunk instance. See section 'Splunk Indexes' for more details

An example of a valid login request in Heimdall^©:

Splunk Set Up

The default configuration for a Splunk instance can result in data loss or interfacing errors when communicating with Heimdall^©. It is highly recommended to change these default configurations as specified here.

To use a Splunk Docker Image for the purpose of testing the interface, reference the instructions provided in the Splunk Docker Image section.

Splunk Data

The Splunk platform accepts any type of data. In particular, it works with all IT streaming and historical data. The source of the data can be event logs, web logs, live application logs, network feeds, system metrics, change monitoring, message queues, archive files, and so on.

Splunk Indexes

An index in Splunk serves as a repository for data. When raw data is added to Splunk, it indexes the data (i.e., uses the data to update its indexes) and creates events for later reference.

For uploading or downloading data, Heimdall^© can only interface with Splunk by interacting with valid user-specified indexes. It is recommended to use a dedicated index (e.g., hdf) specifically for HDF files for easier data management.

To create an index using the Splunk GUI:

1. Go to Settings

2. Go to Indexes

3. Press the New Index button

4. Fill out the fields for your new index

5. Press the Save button

6. Your new index should now appear in the index list

Splunk Docker Image

These instructions are for creating a Splunk Docker Container and connecting to Heimdall Lite^© for interface testing.

Set Up Heimdall Lite^© and the Splunk Enterprise Container

To install and run Heimdall Lite^© in Development Mode following these steps:

• Step 1. Retrieve the repository from GitHub using the following command:

git clone https://github.com/mitre/heimdall2

• Step 2. Navigate to the Heimdall2 repository directory and run the following command to install the necessary packages:

yarn install

• Step 3. Use the following command in the Heimdall2 directory to start up Development Mode:

yarn start:dev

Install Docker.

To set up and run a Splunk Enterprise container follow these steps:

Step 1. Pull the latest official Splunk Enterprise image using the following command:

docker pull splunk/splunk:latest

Step 2. Create a default.yml file with the following content. These custom configurations are used to allow the generated Splunk Enterprise container to connect to the Heimdall Lite^© instance.

splunk:
  conf:
    - key: limits
      value:
        directory: /opt/splunk/etc/system/default
        content:
          kv:
            limit: 10000000
            maxchars: 1000000
    - key: props
      value:
        directory: /opt/splunk/etc/system/default
        content:
          HDF2Splunk:
            SHOULD_LINEMERGE: false
            EVENT_BREAKER_ENABLE: true
            EVENT_BREAKER: ([\n]+)
            TRUNCATE: 0
    - key: server
      value:
        directory: /opt/splunk/etc/system/default
        content:
          httpServer:
            crossOriginSharingPolicy: "*"
            crossOriginSharingHeaders: "*"
            disabled: 0

NOTE: The default.yml content is used to modify the appropriate splunk configuration. The key: tags specify the file to modify and the directory: tag specifies the file location.

Step 3. Create a Splunk Enterprise container using the following command, replace <PASSWORD> with a Splunk Enterprise compliant password and specify the path to the default.yml file.

• OSX/Linux:

sudo docker run -d -p 8000:8000 -p 8089:8089 -e 'SPLUNK_START_ARGS=--accept-license' -e 'SPLUNK_PASSWORD=<PASSWORD>' -v '/ENTER/PATH/TO/default.yml:/tmp/defaults/default.yml' splunk/splunk:latest

• Windows:

docker run -d -p 8000:8000 -p 8089:8089 -e "SPLUNK_START_ARGS=--accept-license" -e "SPLUNK_PASSWORD=<PASSWORD>" -v "ENTER\PATH\TO\default.yml:/tmp/defaults/default.yml" splunk/splunk:latest

-d start the docker deamon. When combined with docker run -d [other options] <image_name> it runs the container in the background

-p 8000:8000 -p 8089:8089 exposes a port mapping from the host's 8000 and 8089 ports to the container's 8000 (user friendly frontend) and 8089 (REST API access) ports respectively.

-e 'SPLUNK_START_ARGS=--accept-license' accepts the license agreement. This must be accepted to start up the container.

-e 'SPLUNK_PASSWORD=<PASSWORD>' sets the password for the admin user.

-v mount a volume (absolute paths needed). We can use %cd% (windows) or $PWD (OSX/Linux) to specify the current directory. In the given example '/ENTER/PATH/TO/default.yml:/tmp/defaults/default.yml' mounts the default.yml file onto the container which then adjusts the default configuration files according to the specified settings in default.yml.

Step 4. Docker should now be starting up the container. Use the command docker ps to check the status of the container. When the container's status is healthy, it is ready to use.

Step 5. Access http://localhost:8000 and https://localhost:8089 to ensure that the Splunk Enterprise container is accessible from your host ports. Log in on http://localhost:8000 to access the Splunk Enterprise web interface.

Connecting Heimdall Lite^© to the Splunk Enterprise Container

Disable CORS on your browser. This can be achieved with Google Chrome using the following command to open a CORS-disabled tab:

• Windows:

"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-web-security --disable-gpu --user-data-dir=%LOCALAPPDATA%\Google\chromeTemp

• OSX:

open -n -a /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --args --user-data-dir="/tmp/chrome_dev_test" --disable-web-security

• Linux:

google-chrome --disable-web-security

Access Heimdall Lite^© by going to localhost:8080. Click on the Splunk tab on the left of the interface.

Enter your credentials for the Splunk Enterprise container. Unless you are specifically targeting a certain user, use: username admin, password set in the previous section, and hostname https://localhost:8089.

Heimdall Lite^© should now connect and display the contents of the Splunk container.

NOTE: If you receive an Error: Login timed out. Please check your CORS configuration or validate you have inputted the correct domain, you most likely have an issue related to CORS. Ensure that CORS is disabled on your browser or recreate your Splunk container using the provided default.yml.