Skip to content

Heimdall Interface Connections

Jump to bottom
George M. Dias edited this page May 31, 2023 · 24 revisions

Splunk

Instruction

These instructions are for creating a Splunk Docker Container and connecting an Heimdall Lite for testing the interface.

Set Up Heimdall Lite

  1. To install and run Heimdall Lite in Development Mode following these steps:

    • Step 1. Retrieve the repository from GitHub using the following command: 
      git clone https://github.com/mitre/heimdall2
    • Step 2. Navigate to the Heimdall2 repository directory and run the following command to install the necessary packages: 
      yarn install
    • Step 3. Use the following command in the Heimdall2 directory to start up 'Development Mode': 
      yarn start:dev

    NOTE: refer here for more detailed instructions.

  2. Install Docker.

  3. To set up and run a Splunk Enterprise container follow these steps:

    • Step 1. Pull the latest official Splunk Enterprise image using the following command:

      docker pull splunk/splunk:latest

    • Step 2. Create a default.yml file with the following content. These custom configurations are used to allow the generated Splunk Enterprise container connectivity to the Heimdall instances.

      splunk:
  conf:
    - key: limits
      value:
        directory: /opt/splunk/etc/system/default
        content:
        kv:
          limit: 10000000
          maxchars: 1000000
    - key: props
    value:
      directory: /opt/splunk/etc/system/default
        content:
        HDF2Splunk:
          SHOULD_LINEMERGE: false
          EVENT_BREAKER_ENABLE: true
          EVENT_BREAKER: ([\n]+)
          TRUNCATE: 0
    - key: server
    value:
      directory: /opt/splunk/etc/system/default
      content:
      httpServer:
        crossOriginSharingPolicy: "*"
        crossOriginSharingHeaders: "*"
        disabled: 0

    • Step 3. Create a Splunk Enterprise container using the following command, replace <PASSWORD> with a Splunk Enterprise compliant password and specify the absolute path to the default.yml file.

      • OSX/Linux: 
        sudo docker run -d -p 8000:8000 -p 8089:8089 -e 'SPLUNK_START_ARGS=--accept-license' -e 'SPLUNK_PASSWORD=<PASSWORD>' -v '/ABSOLUTE/PATH/TO/default.yml:/tmp/defaults/default.yml' splunk/splunk:latest
      • Windows: 
        docker run -d -p 8000:8000 -p 8089:8089 -e 'SPLUNK_START_ARGS=--accept-license' -e 'SPLUNK_PASSWORD=<PASSWORD>' -v '\ABSOLUTE\PATH\TO\default.yml:/tmp/defaults/default.yml' splunk/splunk:latest

      Command breakdown:

      • -p 8000:8000 -p 8089:8089 exposes a port mapping from the host's 8000 and 8089 ports to the container's 8000 (user friendly frontend) and 8089 (REST API access) ports respectively.

      • -e 'SPLUNK_START_ARGS=--accept-license' accepts the license agreement. This must be accepted to start up the container.

      • -e 'SPLUNK_PASSWORD=<PASSWORD>' sets the password for the admin user.

      • -v '/ABSOLUTE/PATH/TO/default.yml:/tmp/defaults/default.yml' mounts the default.yml file onto the container which then adjusts the default configuration files according to the settings in default.yml.

    • Steps 4. Docker should now be starting up the container. Use the command docker ps to check the status of the container. When the container's status is healthy, it is ready to use.

    NOTE: For additional instructions reference the official documentation.

Connecting Heimdall Lite to a Splunk Enterprise Container

  1. Disable CORS on your browser. This can be achieved with Google Chrome using the following command to open a CORS-disabled tab:

    • Windows: 
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-web-security --disable-gpu --user-data-dir=%LOCALAPPDATA%\Google\chromeTemp
    • OSX: 
      open -n -a /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --args --user-data-dir="/tmp/chrome_dev_test" --disable-web-security
    • Linux: 
      google-chrome --disable-web-security

  2. Access Heimdall Lite by going to localhost:8080. Click on the Splunk tab on the left of the interface.

  3. Enter your credentials for the Splunk Enterprise container. Unless you are specifically targeting a certain user, use: username admin, password set in the previous section, and hostname https://localhost:8089.

  4. Heimdall Lite should now connect and display the contents of the Splunk container.

NOTE: If you receive an Error: Login timed out. Please check your CORS configuration or validate you have inputted the correct domain, you most likely have an issue related to CORS. Ensure that CORS is disabled on your browser or recreate your Splunk container using the provided default.yml.

Tenable.SC

Instruction

Helping the overall cybersecurity strength of organizations.

image

Heimdall©

Security Data Visualization App

Table of Contents

Common Instructions

Developers Corner

HDF / Converts / Attestation

Other Documentation

Clone this wiki locally