Tutorial: Importing Tranalyzer Flows in Splunk
- tranalyzer2-0.8.4 is installed with standard/default plugins,
- Splunk 6.5.x is installed, Splunk account exists,
- At least one network interface (Ethernet or WLAN) has network traffic.
Select Network Interface
Determine the network interface name by entering the following command at the terminal command line:
In the output, look for the interface name which has the IP address where the network traffic should be collected from:
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500 inet 10.20.6.79 netmask 0xfffffc00 broadcast 10.20.7.255
Configure Tranalyzer jsonSink Plugin
tranalyzer2-0.8.4/plugins/jsonSink/src/jsonSink.h and set the configuration parameters as needed:
#define SOCKET_ON 1 // Whether to output to a socket (1) or file (0) #define SOCKET_ADDR "127.0.0.1" // address of the socket #define SOCKET_PORT 5000 // port of the socket
SOCKET_ON to 1 to configure the output to a socket. Set the IP address of the destination server which should receive the data stream. If
localhost will be the destination, leave the default setting of
"127.0.0.1". Set the socket server port of the destination.
Recompile the jsonSink Plugin
Enter the following command:
$ t2build jsonSink
Make sure that the plugin is compiled successfully. In this case the following message will be shown at the command line:
Plugin jsonSink copied into /home/user/.tranalyzer/plugins
Start generating flow records by launching Tranalyzer2 with the interface name determined on the previous step and setting a file name as the command line arguments by entering the command:
$ t2 -i en0 -w test1 &
Root rights might be required to sniff traffic from an interface. If you receive an error message, warning you about that, run the following command instead (it will run tranalyzer with
sudo and will likely ask you for your password):
$ st2 -i en0 -w test1 &
Note that the file name is optional for JSON stream import, if file name is not indicated the records will be shown in the standard output (besides being streamed over the configured TCP socket).
Check File Output
Check that the flow records are written to the file by entering the command:
tail -f test1_flows.txt
Flow records should be shown in the terminal.
Let Tranalyzer2 run and collect network traffic.
splunk by entering the following command in the directory where Splunk is installed:
Wait for the confirmation message that
splunk is up and running:
The Splunk web interface is at http://splunk_hostname:8000