-
Notifications
You must be signed in to change notification settings - Fork 59
Heimdall Interface Connections
Instruction
These instructions are for creating a Splunk Docker Container
and connecting to Heimdall Lite for interface testing.
-
To install and run Heimdall Lite in
Development Mode
following these steps:-
Step 1. Retrieve the repository from GitHub using the following command:
git clone https://github.com/mitre/heimdall2
-
Step 2. Navigate to the Heimdall2 repository directory and run the following command to install the necessary packages:
yarn install
-
Step 3. Use the following command in the Heimdall2 directory to start up
Development Mode
:yarn start:dev
NOTE: For additional instructions reference the official documentation for Heimdall2.
-
Step 1. Retrieve the repository from GitHub using the following command:
-
To set up and run a Splunk Enterprise container follow these steps:
-
Step 1. Pull the latest official Splunk Enterprise image using the following command:
docker pull splunk/splunk:latest
-
Step 2. Create a
default.yml
file with the following content. These custom configurations are used to allow the generated Splunk Enterprise container to connect to the Heimdall Lite instance.splunk: conf: - key: limits value: directory: /opt/splunk/etc/system/default content: kv: limit: 10000000 maxchars: 1000000 - key: props value: directory: /opt/splunk/etc/system/default content: HDF2Splunk: SHOULD_LINEMERGE: false EVENT_BREAKER_ENABLE: true EVENT_BREAKER: ([\n]+) TRUNCATE: 0 - key: server value: directory: /opt/splunk/etc/system/default content: httpServer: crossOriginSharingPolicy: "*" crossOriginSharingHeaders: "*" disabled: 0
-
Step 3. Create a Splunk Enterprise container using the following command, replace
<PASSWORD>
with a Splunk Enterprise compliant password and specify the absolute path to thedefault.yml
file.- OSX/Linux:
sudo docker run -d -p 8000:8000 -p 8089:8089 -e 'SPLUNK_START_ARGS=--accept-license' -e 'SPLUNK_PASSWORD=<PASSWORD>' -v '/ABSOLUTE/PATH/TO/default.yml:/tmp/defaults/default.yml' splunk/splunk:latest
- Windows:
docker run -d -p 8000:8000 -p 8089:8089 -e 'SPLUNK_START_ARGS=--accept-license' -e 'SPLUNK_PASSWORD=<PASSWORD>' -v '\ABSOLUTE\PATH\TO\default.yml:/tmp/defaults/default.yml' splunk/splunk:latest
Command breakdown:
-
-p 8000:8000 -p 8089:8089
exposes a port mapping from the host's 8000 and 8089 ports to the container's 8000 (user friendly frontend) and 8089 (REST API access) ports respectively. -
-e 'SPLUNK_START_ARGS=--accept-license'
accepts the license agreement. This must be accepted to start up the container. -
-e 'SPLUNK_PASSWORD=<PASSWORD>'
sets the password for theadmin
user. -
-v '/ABSOLUTE/PATH/TO/default.yml:/tmp/defaults/default.yml'
mounts thedefault.yml
file onto the container which then adjusts the default configuration files according to the specified settings indefault.yml
.
- OSX/Linux:
-
Steps 4. Docker should now be starting up the container. Use the command
docker ps
to check the status of the container. When the container's status ishealthy
, it is ready to use.
NOTE: For additional instructions reference the official documentation for Splunk in Docker.
-
-
Disable CORS on your browser. This can be achieved with Google Chrome using the following command to open a CORS-disabled tab:
- Windows:
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-web-security --disable-gpu --user-data-dir=%LOCALAPPDATA%\Google\chromeTemp
- OSX:
open -n -a /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --args --user-data-dir="/tmp/chrome_dev_test" --disable-web-security
- Linux:
google-chrome --disable-web-security
- Windows:
-
Access Heimdall Lite by going to
localhost:8080
. Click on theSplunk
tab on the left of the interface. -
Enter your credentials for the Splunk Enterprise container. Unless you are specifically targeting a certain user, use: username
admin
, password set in the previous section, and hostnamehttps://localhost:8089
. -
Heimdall Lite should now connect and display the contents of the Splunk container.
NOTE: If you receive an Error: Login timed out. Please check your CORS configuration or validate you have inputted the correct domain
, you most likely have an issue related to CORS. Ensure that CORS is disabled on your browser or recreate your Splunk container using the provided default.yml.
Instruction
Helping the overall cybersecurity strength of organizations.
- Home
- How to create a release
- Environment Variables Configuration
- Heimdall Authentication Methods
- Heimdall API Documentation
- Group and User Management
- Heimdall Interface Connections
- Heimdall Architecture Information
- Heimdall Class Diagrams
- Heimdall Development Tips & Tricks
- Heimdall Frontend Components
- Heimdall Processes Documentation
- Heimdall Heroku Documentation
- Developers Code Style
- Troubleshooting
- HDF Converter Mappings
- HDF Converters How Tos
- Manual Attestations
- Control Correlation Identifier (CCI) Converter