Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Splunk output #9

Open
dpicollege opened this issue Nov 30, 2016 · 3 comments
Open

Splunk output #9

dpicollege opened this issue Nov 30, 2016 · 3 comments
Labels
needs: config Indicates the issue requires changes in the config file/flags needs: docs Indicates that the issue needs documentation updates output: splunk Anything related to Splunk output scope: outputs Anything related to output sinks

Comments

@dpicollege
Copy link

dpicollege commented Nov 30, 2016
edited by rabbitstack

Description

This task should tackle the implementation of the Splunk output. Events should be shipped to the Splunk HEC (HTTP event collector). For borrowing ideas, see the reference link for the implementation of the Splunk sink in Vector.

Prior art

https://github.com/timberio/vector/blob/master/src/sinks/splunk_hec.rs
@rabbitstack rabbitstack changed the title request Output adapter for Splunk Dec 1, 2016
@dpicollege
Copy link
Author

i am very interesting for sending fibratus output to splunk. may i have it this week or i should wait more?

@rabbitstack
Copy link
Owner

My plate is pretty full this month and I have no experience with the Splunk's API. Can you take a look at the documentation to help me figure out which endpoints should be used to send the data?

@dpicollege
Copy link
Author

yes sure. but as my experience I suggest to save data in disk and anyone can send data to any SIEM. can read the data and forward it to their env. the format of file can be txt or csv and also it's better to have structure for example like this

2016-12-12T 03:28:50.458945 registery="close.x", dest="", transport="tcp", dest_port="", src="****", src_port="57410", file="open.x"

if it's hard just make a modules to send log data to syslog server like amqp and elasticsearch (both great)

@rabbitstack rabbitstack added the output: splunk Anything related to Splunk output label Apr 21, 2020
@rabbitstack rabbitstack added the scope: outputs Anything related to output sinks label Nov 13, 2020
@rabbitstack rabbitstack changed the title Output adapter for Splunk Splunk output Nov 13, 2020
@rabbitstack rabbitstack added the needs: docs Indicates that the issue needs documentation updates label Nov 23, 2020
@rabbitstack rabbitstack added the needs: config Indicates the issue requires changes in the config file/flags label Dec 2, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
needs: config Indicates the issue requires changes in the config file/flags needs: docs Indicates that the issue needs documentation updates output: splunk Anything related to Splunk output scope: outputs Anything related to output sinks
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rabbitstack @dpicollege