amorfo77/parsedmarc
1
0
Fork 0
mirror of https://github.com/domainaware/parsedmarc.git synced 2026-04-04 20:58:53 +00:00
Code Issues Projects Releases Wiki Activity

Added splunk installation guide

Browse Source
This commit is contained in:
Matthäus Wander
2021-06-06 16:35:07 +02:00
committed by Matthäus Wander
parent 0d680edd31
commit 837ba7ef4d
1 changed files with 68 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

73
splunk/README.rst
View File

@@ -1,9 +1,53 @@
=================
Splunk dashboards
=================
===================
Splunk Installation
===================
Setup guide
-----------
Install Splunk for use with Docker
----------------------------------
Download latest Splunk image::
docker pull splunk/splunk:latest
Run Splunk with Docker
----------------------
Listen on all network interfaces::
docker run -d -p 8000:8000 -p 8088:8088 -e "SPLUNK_START_ARGS=--accept-license" -e "SPLUNK_PASSWORD=password1234" -e "SPLUNK_HEC_TOKEN=hec-token-1234" --name splunk splunk/splunk:latest
Listen on localhost for use with reverse proxy with base URL `/splunk`::
docker run -d -p 127.0.0.1:8000:8000 -p 127.0.0.1:8088:8088 -e "SPLUNK_START_ARGS=--accept-license" -e "SPLUNK_PASSWORD=password1234" -e "SPLUNK_HEC_TOKEN=hec-token-1234" -e "SPLUNK_ROOT_ENDPOINT=/splunk" --name splunk splunk/splunk:latest
Set up reverse proxy, e.g. Apache2::
ProxyPass /splunk http://127.0.0.1:8000/splunk
ProxyPassReverse /splunk http://127.0.0.1:8000/splunk
Splunk Configuration
--------------------
Access web UI at http://127.0.0.1:8000 and log in with `admin:password1234`.
Create App and Index
~~~~~~~~~~~~~~~~~~~~
- Settings > Data > Indexes: New Index
- Index name: "email"
- HEC token `hec-token-1234` should be already set up.
- Check under Settings > Data > Data inputs: HTTP Event Collector
- Apps > Manage Apps: Create app
- Name: "parsedmarc"
- Folder name: "parsedmarc"
Create Dashboards
~~~~~~~~~~~~~~~~~
1. Navigate to the app you want to add the dashboards to, or create a new app called DMARC
2. Click Dashboards
@@ -22,3 +66,22 @@ Setup guide
15. Paste the content of ''dmarc_forensic_dashboard.xml`` into the source editor
16. If the index storing the DMARC data is not named email, replace index="email" accordingly
17. Click Save
==============
Example Config
==============
parsedmarc.ini::
[splunk_hec]
url = https://127.0.0.1:8088/
token = hec-token-1234
index = email
skip_certificate_verification = True
Note that `skip_certificate_verification = True` disables security checks.
Run parsedmarc::
python3 -m parsedmarc.cli -c parsedmarc.ini