It brings me great pleasure to announce that I have used Brian Keifer’s code and successfully created a splunk event logger.
What is needed in order for this to work?
You will need to enable the http event collector in splunk. How do you do this?
Go here for direction
If for some reason you don’t see it in your input section you’ll need to disable the dbx app.
To do this ssh into your splunk server (assuming its on linux, windows should be the same process) go to ${splunk_home}/etc/apps and move the dbx app somewhere else then restart your splunk server
Once you are done with that install the app and publish it.
Fill out the variables with your splunk URL, port and token. Now keep in mind that this is going to be coming from the ST servers directly so you will need to open up a port on your Firewall to accept the traffic in from ST.
BTW does anyone know what the ST subnet(s) are? I’d like to restrict my Firewall to their source only. Looking in my logs at where the traffic is coming from seems to be coming from several different IPs some start with 54 while others start with 24.
Anyways we finally have a splunk logger for all of us.
What needs to be completed? The last value in the json should be the time and splunk wants the time to be in epoch format. Now with ST I can use the now() function with the time but then I get some java errors in the logs and everything just breaks so for now I have left it off and splunk seems to be happy with it. Most importantly enjoy!
Brian, if you want me to completely write up my own app and not piggy back off of yours please let me know. Thanks.
Edit: In case you missed the link to the code up above its right here
Edit2: Now has the ability to send your logs directly to your splunk server directly on the LAN or if your using splunk cloud you can still send it remotely too.