This repository has been archived by the owner on Mar 2, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 4
Integration with Splunk
dvoraktomas edited this page Apr 27, 2016
·
5 revisions
This page describes a configuration that can be used to transport data from this application to Splunk.
Setup a new TCP or UDP data input. Follow the instructions on http://docs.splunk.com/Documentation/Splunk/latest/Data/Monitornetworkports. Set the following parameters to use TCP:
[tcp://9999]
sourcetype = syslog
Alternative for UDP:
[udp://8899]
sourcetype = syslog
no_appending_timestamp = true
Modify the transform section in your application.yml file.
transform:
stylesheet: config/stix2splunk.xsl
Add the following TCP or UDP appender to your logback.xml file.
<appender name="TCP" class="com.cisco.cta.taxii.adapter.NetworkAppender">
<host>splunk-host</host>
<port>9999</port>
<protocol>TCP</protocol>
</appender>
<appender name="UDP" class="com.cisco.cta.taxii.adapter.NetworkAppender">
<host>splunk-host</host>
<port>8899</port>
<protocol>UDP</protocol>
</appender>
Make sure the parameter values match your Splunk configuration. Add the new appender to the output logger configuration. The logger configuration may include more than one appender.
<logger name="output" level="info" additivity="false">
<appender-ref ref="TCP"/>
<appender-ref ref="UDP"/>
</logger>