Tech Add-on for Splunk developed to sourcetype Cisco Umbrella DNS Activity Logs.
- For Cisco Umbrella customers, setup Log Management to export logs to Amazon S3 as described in the Umbrella Customer Docs
- Install this app into your Splunk environment on your Search Heads, Indexers, and/or Heavy Forwarders as applicable in your environment, restarting as appropriate.
- Follow most of the umbrella documentation for Splunk Integration realizing they were written for setting up an earlier version of the Splunk Add On for Amazon Web Services to pull your logs from S3. Instead of using the recommended default
aws:s3
as a sourcetype, usecisco:umbrella
instead. - Enjoy correctly timestamped logs with field extractions!
- Contributions Welcome. Licensed under Apache 2. Trademarks belong to their respective owners. etc etc.
- I threw this app together one weekend that as I was playing with these Umbrella logs as part of a trial / demo worked my way through the instructions.
- I think there might be some value to normalize to the CIM model but also I think there's might be some work to be done with Cisco folks to clean up data as it is sent to S3.
- Questions/Comments, I can often be found as "teddybfez" in the Splunk Usergroups Slack. Request an invite through the form on the Nebraska User Group site