added some configs to help index the log files we generate so we can search in the splunk UI

2025-07-19 21:14:34 -05:00 · 2025-07-19 21:14:34 -05:00 · e094d67a31
commit e094d67a31
parent fa8fd73f1a
4 changed files with 138 additions and 1 deletions
--- a/config/default.yml
+++ b/config/default.yml
@ -9,13 +9,29 @@ splunk:
          USERNAME: admin
          PASSWORD: admin123
-    # Enable HEC by default
+    # Enable HEC by default and file monitoring
    inputs:
      content:
        http:
          disabled: 0
          port: 8088
          enableSSL: 0
        "monitor:///opt/splunk/logs":
          disabled: 0
          index: main
          recursive: 1
        "monitor:///opt/splunk/logs/windows_security.log":
          disabled: 0
          index: main
          sourcetype: "WinEventLog:Security"
        "monitor:///opt/splunk/logs/firewall.log":
          disabled: 0
          index: main
          sourcetype: firewall
        "monitor:///opt/splunk/logs/aws_cloudtrail.json":
          disabled: 0
          index: main
          sourcetype: "aws:cloudtrail"
    # Basic server configuration
    server:
--- a/config/inputs.conf
+++ b/config/inputs.conf
@ -0,0 +1,36 @@
 [default]
 host = splunk_local
 # Monitor log files directly from Splunk
 [monitor:///opt/splunk/logs/*.log]
 disabled = false
 sourcetype = auto
 index = main
 recursive = true
 [monitor:///opt/splunk/logs/*.json]
 disabled = false
 sourcetype = auto
 index = main
 recursive = true
 # Specific source types for better parsing
 [monitor:///opt/splunk/logs/windows_security.log]
 disabled = false
 sourcetype = WinEventLog:Security
 index = main
 [monitor:///opt/splunk/logs/firewall.log]
 disabled = false
 sourcetype = firewall
 index = main
 [monitor:///opt/splunk/logs/dns_queries.log]
 disabled = false
 sourcetype = dns
 index = main
 [monitor:///opt/splunk/logs/aws_cloudtrail.json]
 disabled = false
 sourcetype = aws:cloudtrail
 index = main
--- a/config/system/local/inputs.conf
+++ b/config/system/local/inputs.conf
@ -0,0 +1,84 @@
 [default]
 host = log_generators
 # Monitor all log files from generators
 [monitor:///var/log/app/*.log]
 disabled = false
 sourcetype = auto
 index = main
 [monitor:///var/log/app/*.json]
 disabled = false
 sourcetype = auto
 index = main
 # Specific configurations for better parsing
 [monitor:///var/log/app/windows_security.log]
 disabled = false
 sourcetype = WinEventLog:Security
 index = main
 [monitor:///var/log/app/windows_system.log]
 disabled = false
 sourcetype = WinEventLog:System
 index = main
 [monitor:///var/log/app/windows_application.log]
 disabled = false
 sourcetype = WinEventLog:Application
 index = main
 [monitor:///var/log/app/firewall.log]
 disabled = false
 sourcetype = firewall
 index = main
 [monitor:///var/log/app/dns_queries.log]
 disabled = false
 sourcetype = dns
 index = main
 [monitor:///var/log/app/web_access.log]
 disabled = false
 sourcetype = access_combined
 index = main
 [monitor:///var/log/app/syslog.log]
 disabled = false
 sourcetype = syslog
 index = main
 [monitor:///var/log/app/ldap_auth.log]
 disabled = false
 sourcetype = ldap
 index = main
 [monitor:///var/log/app/radius_auth.log]
 disabled = false
 sourcetype = radius
 index = main
 [monitor:///var/log/app/ssh_auth.log]
 disabled = false
 sourcetype = linux_secure
 index = main
 [monitor:///var/log/app/aws_cloudtrail.json]
 disabled = false
 sourcetype = aws:cloudtrail
 index = main
 [monitor:///var/log/app/azure_activity.json]
 disabled = false
 sourcetype = azure:activity
 index = main
 [monitor:///var/log/app/gcp_audit.json]
 disabled = false
 sourcetype = gcp:audit
 index = main
 [monitor:///var/log/app/application.json]
 disabled = false
 sourcetype = json
 index = main
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -16,6 +16,7 @@ services:
      - splunk_etc:/opt/splunk/etc
      - splunk_var:/opt/splunk/var
      - ./config:/tmp/defaults
      - ./logs:/opt/splunk/logs
    restart: unless-stopped
  # Optional: Universal Forwarder for testing log forwarding