Tutorial: Importing Tranalyzer Flows in Splunk
- tranalyzer2-0.8.6 is installed with standard/default plugins:
- Splunk 6.5.x is installed, Splunk account exists,
- At least one network interface (Ethernet or WLAN) has network traffic.
Select Network Interface
Determine the network interface name by entering the following command at the terminal command line:
In the output, look for the interface name which has the IP address where the network traffic should be collected from:
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500 inet 10.20.6.79 netmask 0xfffffc00 broadcast 10.20.7.255
Configure the jsonSink Plugin
tranalyzer2-0.8.6/plugins/jsonSink/src/jsonSink.h and set the configuration parameters as needed:
... // user defines #define SOCKET_ON 0 // Whether to output to a socket (1) or file (0) #define GZ_COMPRESS 0 // Whether or not to compress the output (gzip) #define JSON_SPLIT 1 // Whether or not to split output file (-W option) #define JSON_ROOT_NODE 0 // Whether or not to surround the output with a root node (array) #define SUPPRESS_EMPTY_ARRAY 1 // Whether or not to output empty fields #define JSON_NO_SPACES 1 // Suppress unnecessary spaces (1) #define JS_BUFFER_SIZE (1 << 20) // size of outputbuffer #if SOCKET_ON == 1 #define SOCKET_ADDR "127.0.0.1" // address of the socket #define SOCKET_PORT 5000 // port of the socket #else // SOCKET_ON == 0 #define JSON_SUFFIX "_flows.json" // suffix for output file #endif // SOCKET_ON == 0 ...
SOCKET_ON to 1 to configure the output to a socket. Set the IP address of the destination server which should receive the data stream. If
localhost will be the destination, leave the default setting of
"127.0.0.1". Set the socket server port of the destination and recompile jsonSink.
$ t2conf jsonSink -D SOCKET_ON=1 $ t2build jsonSink ... $
Start generating flow records by launching T2 with the interface name determined on the previous step and setting a file name as the command line arguments by entering the command:
$ t2 -i en0 -w test1 & $
Root rights might be required to sniff traffic from an interface. If you receive an error message, warning you about that, run the following command instead (it will run tranalyzer with
sudo and will likely ask you for your password):
$ st2 -i en0 -w test1 & $
Note that the file name is optional for JSON stream import, if file name is not indicated the records will be shown in the standard output (besides being streamed over the configured TCP socket).
Check File Output
Check that the flow records are written to the file by entering the command:
tail -f test1_flows.txt
Flow records should be appear in the terminal. Collect traffic for some time.
splunk by entering the following command in the directory where Splunk is installed:
$ splunk start
Wait for the confirmation message that
splunk is up and running:
The Splunk web interface is at http://splunk_hostname:8000