Skip to content

Heimdall Interface Connections

Jump to bottom
George M. Dias edited this page Jul 12, 2023 · 24 revisions

Splunk

Instruction

Splunk Interfacing Guide

Table of Contents

Login via Heimdall

Accessing a Splunk instance from Heimdall requires the input of the following information:

  • username: A qualified username recognized by the referenced Splunk instance.
  • password: A qualified password recognized by the referenced Splunk instance.
  • hostname: The domain name for the desired Splunk instance. Include port number if available.
  • index: A valid index name within the referenced Splunk instance. See section 'Splunk Indexes' for more details

An example of a valid login request in Heimdall:

login

Splunk Set Up

The default configuration for a Splunk instance can result in data loss or interfacing errors when communicating with Heimdall. It is highly recommended to change these default configurations as specified here.

To use a Splunk Docker Image for the purpose of testing the interface, references the instruction provide in the Splunk Docker Image section in this document.

Splunk Data

The Splunk platform accepts any type of data. In particular, it works with all IT streaming and historical data. The source of the data can be event logs, web logs, live application logs, network feeds, system metrics, change monitoring, message queues, archive files, and so on.

Splunk Indexes

An index in Splunk serves as a repository for data. When raw data is added to Splunk, it indexes the data (i.e., uses the data to update its indexes) and creates events for later reference.

For uploading or downloading data, Heimdall can only interface with Splunk by interacting with valid user-specified indexes. It is recommended to use a dedicated index (e.g., hdf) specifically for HDF files for easier data management.

To create an index using the Splunk GUI:

  1. Go to Settings
index1
  1. Go to Indexes
index2
  1. Press the New Index button
index3
  1. Fill out the fields for your new index
index4
  1. Press the Save button
index5
  1. Your new index should now appear in the index list
index6

Splunk Docker Image

These instructions are for creating a Splunk Docker Container and connecting to Heimdall Lite for interface testing.

Set Up Heimdall Lite and the Splunk Enterprise Container

  1. To install and run Heimdall Lite in Development Mode following these steps:

    • Step 1. Retrieve the repository from GitHub using the following command: 
      git clone https://github.com/mitre/heimdall2
    • Step 2. Navigate to the Heimdall2 repository directory and run the following command to install the necessary packages: 
      yarn install
    • Step 3. Use the following command in the Heimdall2 directory to start up Development Mode: 
      yarn start:dev

    NOTE: For additional instructions reference the official documentation for Heimdall2.

  2. Install Docker.

  3. To set up and run a Splunk Enterprise container follow these steps:

    • Step 1. Pull the latest official Splunk Enterprise image using the following command:

      docker pull splunk/splunk:latest

    • Step 2. Create a default.yml file with the following content. These custom configurations are used to allow the generated Splunk Enterprise container to connect to the Heimdall Lite instance.

      splunk:
  conf:
    - key: limits
      value:
        directory: /opt/splunk/etc/system/default
        content:
          kv:
            limit: 10000000
            maxchars: 1000000
    - key: props
      value:
        directory: /opt/splunk/etc/system/default
        content:
          HDF2Splunk:
            SHOULD_LINEMERGE: false
            EVENT_BREAKER_ENABLE: true
            EVENT_BREAKER: ([\n]+)
            TRUNCATE: 0
    - key: server
      value:
        directory: /opt/splunk/etc/system/default
        content:
          httpServer:
            crossOriginSharingPolicy: "*"
            crossOriginSharingHeaders: "*"
            disabled: 0

      NOTE: The default.yml content is used to modify the appropriate splunk configuration. The key: tags specify the file to modify and the directory: tag specifies the file location.

    • Step 3. Create a Splunk Enterprise container using the following command, replace <PASSWORD> with a Splunk Enterprise compliant password and specify the path to the default.yml file.

      • OSX/Linux: 
        sudo docker run -d -p 8000:8000 -p 8089:8089 -e 'SPLUNK_START_ARGS=--accept-license' -e 'SPLUNK_PASSWORD=<PASSWORD>' -v '/ENTER/PATH/TO/default.yml:/tmp/defaults/default.yml' splunk/splunk:latest
      • Windows: 
        docker run -d -p 8000:8000 -p 8089:8089 -e "SPLUNK_START_ARGS=--accept-license" -e "SPLUNK_PASSWORD=<PASSWORD>" -v "ENTER\PATH\TO\default.yml:/tmp/defaults/default.yml" splunk/splunk:latest

      Command breakdown:

      • -d start the docker deamon. When combined with docker run -d [other options] <image_name> it runs the container in the background

      • -p 8000:8000 -p 8089:8089 exposes a port mapping from the host's 8000 and 8089 ports to the container's 8000 (user friendly frontend) and 8089 (REST API access) ports respectively.

      • -e 'SPLUNK_START_ARGS=--accept-license' accepts the license agreement. This must be accepted to start up the container.

      • -e 'SPLUNK_PASSWORD=<PASSWORD>' sets the password for the admin user.

      • -v mount a volume (absolute paths needed). We can use %cd% (windows) or $PWD (OSX/Linux) to specify the current directory. In the given example '/ENTER/PATH/TO/default.yml:/tmp/defaults/default.yml' mounts the default.yml file onto the container which then adjusts the default configuration files according to the specified settings in default.yml.

    • Step 4. Docker should now be starting up the container. Use the command docker ps to check the status of the container. When the container's status is healthy, it is ready to use.

    • Step 5. Access http://localhost:8000 and https://localhost:8089 to ensure that the Splunk Enterprise container is accessible from your host ports. Log in on http://localhost:8000 to access the Splunk Enterprise web interface.

    NOTE: For additional instructions reference the official documentation for Splunk in Docker.

Connecting Heimdall Lite to the Splunk Enterprise Container

  1. Disable CORS on your browser. This can be achieved with Google Chrome using the following command to open a CORS-disabled tab:

    • Windows: 
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-web-security --disable-gpu --user-data-dir=%LOCALAPPDATA%\Google\chromeTemp
    • OSX: 
      open -n -a /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --args --user-data-dir="/tmp/chrome_dev_test" --disable-web-security
    • Linux: 
      google-chrome --disable-web-security

  2. Access Heimdall Lite by going to localhost:8080. Click on the Splunk tab on the left of the interface.

  3. Enter your credentials for the Splunk Enterprise container. Unless you are specifically targeting a certain user, use: username admin, password set in the previous section, and hostname https://localhost:8089.

  4. Heimdall Lite should now connect and display the contents of the Splunk container.

NOTE: If you receive an Error: Login timed out. Please check your CORS configuration or validate you have inputted the correct domain, you most likely have an issue related to CORS. Ensure that CORS is disabled on your browser or recreate your Splunk container using the provided default.yml.

Tenable.SC

Instruction

AWS S3

Instruction

Helping the overall cybersecurity strength of organizations.

image

Heimdall©

Security Data Visualization App

Table of Contents

Common Instructions

Developers Corner

HDF / Converts / Attestation

Other Documentation

Clone this wiki locally