Tutorial: Importing Tranalyzer Flows in Splunk

Prerequisites

  • tranalyzer2-0.8.6 is installed with standard/default plugins: t2build
  • Splunk 6.5.x is installed, Splunk account exists,
  • At least one network interface (Ethernet or WLAN) has network traffic.

Select Network Interface

Determine the network interface name by entering the following command at the terminal command line:

$ ifconfig

In the output, look for the interface name which has the IP address where the network traffic should be collected from:

en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST>
mtu 1500 inet 10.20.6.79 netmask 0xfffffc00 broadcast 10.20.7.255

Configure the jsonSink Plugin

Go to tranalyzer2-0.8.6/plugins/jsonSink/src/jsonSink.h and set the configuration parameters as needed:

...
// user defines
#define SOCKET_ON               0 // Whether to output to a socket (1) or file (0)
#define GZ_COMPRESS             0 // Whether or not to compress the output (gzip)
#define JSON_SPLIT              1 // Whether or not to split output file (-W option)
#define JSON_ROOT_NODE          0 // Whether or not to surround the output with a root node (array)
#define SUPPRESS_EMPTY_ARRAY    1 // Whether or not to output empty fields
#define JSON_NO_SPACES          1 // Suppress unnecessary spaces (1)

#define JS_BUFFER_SIZE (1 << 20)  // size of outputbuffer

#if SOCKET_ON == 1

#define SOCKET_ADDR "127.0.0.1"   // address of the socket
#define SOCKET_PORT 5000          // port of the socket

#else // SOCKET_ON == 0

#define JSON_SUFFIX "_flows.json" // suffix for output file

#endif // SOCKET_ON == 0
...

Set SOCKET_ON to 1 to configure the output to a socket. Set the IP address of the destination server which should receive the data stream. If localhost will be the destination, leave the default setting of "127.0.0.1". Set the socket server port of the destination and recompile jsonSink.

$ t2conf jsonSink -D SOCKET_ON=1
$ t2build jsonSink
...
$

Start T2

Start generating flow records by launching T2 with the interface name determined on the previous step and setting a file name as the command line arguments by entering the command:

$ t2 -i en0 -w test1 &
$

Root rights might be required to sniff traffic from an interface. If you receive an error message, warning you about that, run the following command instead (it will run tranalyzer with sudo and will likely ask you for your password):

$ st2 -i en0 -w test1 &
$

Note that the file name is optional for JSON stream import, if file name is not indicated the records will be shown in the standard output (besides being streamed over the configured TCP socket).

Check File Output

Check that the flow records are written to the file by entering the command:

tail -f test1_flows.txt

Flow records should be appear in the terminal. Collect traffic for some time.

Start Splunk

Start splunk by entering the following command in the directory where Splunk is installed:

$ splunk start

Wait for the confirmation message that splunk is up and running:

The Splunk web interface is at http://splunk_hostname:8000

Login to Splunk, Import and Search Data

Add Data in Splunk
Select TCP/UDP and set protocol to TCP and set the correct port number (same as in the Tranalyzer2 plugin configuration file, in this example: 5000)
Select ’_json’ as Source Type and proceed to Review.
Select ‘Start Searching’ to make sure that the data is being received by Splunk.
Note that the data is being received, but the Tranalyzer2 specific data record field are not shown yet.
Go to Settings -> DATA -> Source Types and click on ’_json’ data source type to edit it.
Change option KV_MODE from none to json and save the changes.
Return to the Search window and make sure that the Tranalyzer2 specific fields are recognized by Splunk.
Query data, e.g., show top destination IP addresses by number of the records.