Capsule8 Docs
Capsule8 Docs
Help

Getting Alerts via Splunk

In this Splunk walkthrough, we will use a simple deployment scenario of a Capsule8 Sensor deployed to a non-containerized Linux production server. If you have not already, see the Capsule8 Installation Guide for instructions on installing the Capsule8 Sensor in your deployment environment of choice.

We will be configuring the Capsule8 Sensor to log Alert data to a file called /var/log/capsule8-alerts.json with a simple program black list which will generate an Alert every time the program wget is run:

alert_output:
  outputs:
    - type: file
      enabled: true
      file: /var/log/capsule8-alerts.json

Wget Program Blacklist:
  policy: program
  enabled: true
  alertMessage: Unauthorized Program Execution
  priority: High
  rules:
  - match programName == "*/wget"
  - default ignore
  comments: Alert on usage of the wget command

This example discusses using Splunk’s universal forwarder to ingest Alerts from a Capsule8 Sensor into Splunk Enterprise, Splunk Light, or Splunk Cloud. It was written for the universal forwarder v7.2.5. To get started, follow the Splunk universal forwarder installation guide and install it alongside the Capsule8 Sensor in a Linux test environment.

Once the universal forwarder is installed, follow the configuration guide to connect it either to your receiving indexer or deployment server depending on how you have Splunk configured. Now you can configure your forwarder’s input:

$ cd $SPLUNK_HOME/bin
$ ./splunk add monitor /var/log/capsule8-alerts.json

Restart the universal forwarder with ./splunk restart and you are done! Any Alerts generated on the server should now show up in your Splunk deployment. To generate an Alert with our example policy, run a wget command on your server. You should see a resulting Alert for Unauthorized Program Execution.