diff --git a/config/default.yml b/config/default.yml index 40778e9..2f88abf 100644 --- a/config/default.yml +++ b/config/default.yml @@ -9,13 +9,29 @@ splunk: USERNAME: admin PASSWORD: admin123 - # Enable HEC by default + # Enable HEC by default and file monitoring inputs: content: http: disabled: 0 port: 8088 enableSSL: 0 + "monitor:///opt/splunk/logs": + disabled: 0 + index: main + recursive: 1 + "monitor:///opt/splunk/logs/windows_security.log": + disabled: 0 + index: main + sourcetype: "WinEventLog:Security" + "monitor:///opt/splunk/logs/firewall.log": + disabled: 0 + index: main + sourcetype: firewall + "monitor:///opt/splunk/logs/aws_cloudtrail.json": + disabled: 0 + index: main + sourcetype: "aws:cloudtrail" # Basic server configuration server: diff --git a/config/inputs.conf b/config/inputs.conf new file mode 100644 index 0000000..c564be4 --- /dev/null +++ b/config/inputs.conf @@ -0,0 +1,36 @@ +[default] +host = splunk_local + +# Monitor log files directly from Splunk +[monitor:///opt/splunk/logs/*.log] +disabled = false +sourcetype = auto +index = main +recursive = true + +[monitor:///opt/splunk/logs/*.json] +disabled = false +sourcetype = auto +index = main +recursive = true + +# Specific source types for better parsing +[monitor:///opt/splunk/logs/windows_security.log] +disabled = false +sourcetype = WinEventLog:Security +index = main + +[monitor:///opt/splunk/logs/firewall.log] +disabled = false +sourcetype = firewall +index = main + +[monitor:///opt/splunk/logs/dns_queries.log] +disabled = false +sourcetype = dns +index = main + +[monitor:///opt/splunk/logs/aws_cloudtrail.json] +disabled = false +sourcetype = aws:cloudtrail +index = main \ No newline at end of file diff --git a/config/system/local/inputs.conf b/config/system/local/inputs.conf new file mode 100644 index 0000000..e7dfa6d --- /dev/null +++ b/config/system/local/inputs.conf @@ -0,0 +1,84 @@ +[default] +host = log_generators + +# Monitor all log files from generators +[monitor:///var/log/app/*.log] +disabled = false +sourcetype = auto +index = main + +[monitor:///var/log/app/*.json] +disabled = false +sourcetype = auto +index = main + +# Specific configurations for better parsing +[monitor:///var/log/app/windows_security.log] +disabled = false +sourcetype = WinEventLog:Security +index = main + +[monitor:///var/log/app/windows_system.log] +disabled = false +sourcetype = WinEventLog:System +index = main + +[monitor:///var/log/app/windows_application.log] +disabled = false +sourcetype = WinEventLog:Application +index = main + +[monitor:///var/log/app/firewall.log] +disabled = false +sourcetype = firewall +index = main + +[monitor:///var/log/app/dns_queries.log] +disabled = false +sourcetype = dns +index = main + +[monitor:///var/log/app/web_access.log] +disabled = false +sourcetype = access_combined +index = main + +[monitor:///var/log/app/syslog.log] +disabled = false +sourcetype = syslog +index = main + +[monitor:///var/log/app/ldap_auth.log] +disabled = false +sourcetype = ldap +index = main + +[monitor:///var/log/app/radius_auth.log] +disabled = false +sourcetype = radius +index = main + +[monitor:///var/log/app/ssh_auth.log] +disabled = false +sourcetype = linux_secure +index = main + +[monitor:///var/log/app/aws_cloudtrail.json] +disabled = false +sourcetype = aws:cloudtrail +index = main + +[monitor:///var/log/app/azure_activity.json] +disabled = false +sourcetype = azure:activity +index = main + +[monitor:///var/log/app/gcp_audit.json] +disabled = false +sourcetype = gcp:audit +index = main + +[monitor:///var/log/app/application.json] +disabled = false +sourcetype = json +index = main \ No newline at end of file diff --git a/docker-compose.yml b/docker-compose.yml index aa1ac27..cfb51a4 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -16,6 +16,7 @@ services: - splunk_etc:/opt/splunk/etc - splunk_var:/opt/splunk/var - ./config:/tmp/defaults + - ./logs:/opt/splunk/logs restart: unless-stopped # Optional: Universal Forwarder for testing log forwarding