Getting Alerts via Splunk
In this Splunk walkthrough, we will use a simple deployment scenario of a Capsule8 Sensor deployed to a non-containerized Linux production server. If you have not already, see the Capsule8 Installation Guide for instructions on installing the Capsule8 Sensor in your deployment environment of choice.
We will be configuring the Capsule8 Sensor to log Alert data to a file called
/var/log/capsule8-alerts.json with a simple program black list which will generate an Alert every time the program
wget is run:
alert_output: outputs: - type: file enabled: true file: /var/log/capsule8-alerts.json Wget Program Blacklist: policy: program enabled: true alertMessage: Unauthorized Program Execution priority: High rules: - match programName == "*/wget" - default ignore comments: Alert on usage of the wget command
This example discusses using Splunk’s universal forwarder to ingest Alerts from a Capsule8 Sensor into Splunk Enterprise, Splunk Light, or Splunk Cloud. It was written for the universal forwarder v7.2.5. To get started, follow the Splunk universal forwarder installation guide and install it alongside the Capsule8 Sensor in a Linux test environment.
Once the universal forwarder is installed, follow the configuration guide to connect it either to your receiving indexer or deployment server depending on how you have Splunk configured. Now you can configure your forwarder’s input:
$ cd $SPLUNK_HOME/bin $ ./splunk add monitor /var/log/capsule8-alerts.json
Restart the universal forwarder with
./splunk restart and you are done! Any Alerts generated on the server should now show up in your Splunk deployment. To generate an Alert with our example policy, run a
wget command on your server. You should see a resulting Alert for
Unauthorized Program Execution.