Skip to content

Heimdall Interface Connections

Charles Hu edited this page May 31, 2023 · 24 revisions

Splunk

Instruction

These instructions are for creating a Splunk Docker Container and connecting to Heimdall Lite for interface testing.

Set Up Heimdall Lite and the Splunk Enterprise Container

  1. To install and run Heimdall Lite in Development Mode following these steps:

    • Step 1. Retrieve the repository from GitHub using the following command:
      git clone https://github.com/mitre/heimdall2
      
    • Step 2. Navigate to the Heimdall2 repository directory and run the following command to install the necessary packages:
      yarn install
      
    • Step 3. Use the following command in the Heimdall2 directory to start up Development Mode:
      yarn start:dev
      

    NOTE: For additional instructions reference the official documentation for Heimdall2.

  2. Install Docker.

  3. To set up and run a Splunk Enterprise container follow these steps:

    • Step 1. Pull the latest official Splunk Enterprise image using the following command:

      docker pull splunk/splunk:latest
      
    • Step 2. Create a default.yml file with the following content. These custom configurations are used to allow the generated Splunk Enterprise container to connect to the Heimdall Lite instance.

      splunk:
        conf:
          - key: limits
            value:
              directory: /opt/splunk/etc/system/default
              content:
                kv:
                  limit: 10000000
                  maxchars: 1000000
          - key: props
            value:
              directory: /opt/splunk/etc/system/default
              content:
                HDF2Splunk:
                  SHOULD_LINEMERGE: false
                  EVENT_BREAKER_ENABLE: true
                  EVENT_BREAKER: ([\n]+)
                  TRUNCATE: 0
          - key: server
            value:
              directory: /opt/splunk/etc/system/default
              content:
                httpServer:
                  crossOriginSharingPolicy: "*"
                  crossOriginSharingHeaders: "*"
                  disabled: 0
      
    • Step 3. Create a Splunk Enterprise container using the following command, replace <PASSWORD> with a Splunk Enterprise compliant password and specify the path to the default.yml file.

      • OSX/Linux:
        sudo docker run -d -p 8000:8000 -p 8089:8089 -e 'SPLUNK_START_ARGS=--accept-license' -e 'SPLUNK_PASSWORD=<PASSWORD>' -v '/ENTER/PATH/TO/default.yml:/tmp/defaults/default.yml' splunk/splunk:latest
        
      • Windows:
        docker run -d -p 8000:8000 -p 8089:8089 -e "SPLUNK_START_ARGS=--accept-license" -e "SPLUNK_PASSWORD=<PASSWORD>" -v "\ENTER\PATH\TO\default.yml:/tmp/defaults/default.yml" splunk/splunk:latest
        

      Command breakdown:

      • -p 8000:8000 -p 8089:8089 exposes a port mapping from the host's 8000 and 8089 ports to the container's 8000 (user friendly frontend) and 8089 (REST API access) ports respectively.

      • -e 'SPLUNK_START_ARGS=--accept-license' accepts the license agreement. This must be accepted to start up the container.

      • -e 'SPLUNK_PASSWORD=<PASSWORD>' sets the password for the admin user.

      • -v '/ENTER/PATH/TO/default.yml:/tmp/defaults/default.yml' mounts the default.yml file onto the container which then adjusts the default configuration files according to the specified settings in default.yml.

    • Step 4. Docker should now be starting up the container. Use the command docker ps to check the status of the container. When the container's status is healthy, it is ready to use.

    • Step 5. Access http://localhost:8000 and https://localhost:8089 to ensure that the Splunk Enterprise container is accessible from your host ports. Log in on http://localhost:8000 to access the Splunk Enterprise web interface.

    NOTE: For additional instructions reference the official documentation for Splunk in Docker.

Connecting Heimdall Lite to the Splunk Enterprise Container

  1. Disable CORS on your browser. This can be achieved with Google Chrome using the following command to open a CORS-disabled tab:

    • Windows:
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-web-security --disable-gpu --user-data-dir=%LOCALAPPDATA%\Google\chromeTemp
      
    • OSX:
      open -n -a /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --args --user-data-dir="/tmp/chrome_dev_test" --disable-web-security
      
    • Linux:
      google-chrome --disable-web-security
      
  2. Access Heimdall Lite by going to localhost:8080. Click on the Splunk tab on the left of the interface.

  3. Enter your credentials for the Splunk Enterprise container. Unless you are specifically targeting a certain user, use: username admin, password set in the previous section, and hostname https://localhost:8089.

  4. Heimdall Lite should now connect and display the contents of the Splunk container.

NOTE: If you receive an Error: Login timed out. Please check your CORS configuration or validate you have inputted the correct domain, you most likely have an issue related to CORS. Ensure that CORS is disabled on your browser or recreate your Splunk container using the provided default.yml.

Tenable.SC

Instruction
Clone this wiki locally