amorfo77/parsedmarc
1
0
Fork 0
mirror of https://github.com/domainaware/parsedmarc.git synced 2026-03-22 06:22:46 +00:00
Code Issues Projects Releases Wiki Activity
Files
eedc4f5916bea4e176745cf60879ec09d508d8ca
parsedmarc/splunk/README.rst
copilot-swe-agent[bot] a625115cbf Rename "forensic" to "failure" in docs and dashboard configs 
Update documentation files (output.md, usage.md, kibana.md, splunk.md,
elasticsearch.md, index.md, example.ini) and dashboard configurations
(Grafana JSON, Kibana ndjson, Splunk XML) to use "failure" terminology
instead of "forensic", consistent with the codebase rename.

- CLI args: --forensic-* → --failure-*
- Config keys: save_forensic → save_failure, forensic_topic → failure_topic, etc.
- Index names: dmarc_forensic → dmarc_failure
- Splunk dashboard: renamed file from dmarc_forensic_dashboard.xml to dmarc_failure_dashboard.xml
- Backward-compat note preserved: "formerly known as forensic reports"

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-03-21 17:05:31 -04:00

88 lines
2.5 KiB
ReStructuredText
Raw Blame History

===================
Splunk Installation
===================
Install Splunk for use with Docker
----------------------------------
Download latest Splunk image::
docker pull splunk/splunk:latest
Run Splunk with Docker
----------------------
Listen on all network interfaces::
docker run -d -p 8000:8000 -p 8088:8088 -e "SPLUNK_START_ARGS=--accept-license" -e "SPLUNK_PASSWORD=password1234" -e "SPLUNK_HEC_TOKEN=hec-token-1234" --name splunk splunk/splunk:latest
Listen on localhost for use with reverse proxy with base URL ``/splunk``::
docker run -d -p 127.0.0.1:8000:8000 -p 127.0.0.1:8088:8088 -e "SPLUNK_START_ARGS=--accept-license" -e "SPLUNK_PASSWORD=password1234" -e "SPLUNK_HEC_TOKEN=hec-token-1234" -e "SPLUNK_ROOT_ENDPOINT=/splunk" --name splunk splunk/splunk:latest
Set up reverse proxy, e.g. Apache2::
ProxyPass /splunk http://127.0.0.1:8000/splunk
ProxyPassReverse /splunk http://127.0.0.1:8000/splunk
Splunk Configuration
--------------------
Access web UI at http://127.0.0.1:8000 and log in with ``admin:password1234``.
Create App and Index
~~~~~~~~~~~~~~~~~~~~
- Settings > Data > Indexes: New Index
- Index name: "email"
- HEC token ``hec-token-1234`` should be already set up.
- Check under Settings > Data > Data inputs: HTTP Event Collector
- Apps > Manage Apps: Create app
- Name: "parsedmarc"
- Folder name: "parsedmarc"
Create Dashboards
~~~~~~~~~~~~~~~~~
1. Navigate to the app you want to add the dashboards to, or create a new app called DMARC
2. Click Dashboards
3. Click Create New Dashboard
4. Use a descriptive title, such as "Aggregate DMARC Data"
5. Click Create Dashboard
6. Click on the Source button
7. Paste the content of ''dmarc_aggregate_dashboard.xml`` into the source editor
8. If the index storing the DMARC data is not named email, replace index="email" accordingly
9. Click Save
10. Click Dashboards
11. Click Create New Dashboard
12. Use a descriptive title, such as "Failure DMARC Data"
13. Click Create Dashboard
14. Click on the Source button
15. Paste the content of ''dmarc_failure_dashboard.xml`` into the source editor
16. If the index storing the DMARC data is not named email, replace index="email" accordingly
17. Click Save
==============
Example Config
==============
parsedmarc.ini::
[splunk_hec]
url = https://127.0.0.1:8088/
token = hec-token-1234
index = email
skip_certificate_verification = True
Note that ``skip_certificate_verification = True`` disables security checks.
Run parsedmarc::
python3 -m parsedmarc.cli -c parsedmarc.ini
Reference in New Issue View Git Blame Copy Permalink