added some configs to help index the log files we generate so we can search in the splunk UI

config/default.yml

@@ -9,13 +9,29 @@ splunk:
           USERNAME: admin
           PASSWORD: admin123
     
-    # Enable HEC by default
+    # Enable HEC by default and file monitoring
     inputs:
       content:
         http:
           disabled: 0
           port: 8088
           enableSSL: 0
+        "monitor:///opt/splunk/logs":
+          disabled: 0
+          index: main
+          recursive: 1
+        "monitor:///opt/splunk/logs/windows_security.log":
+          disabled: 0
+          index: main
+          sourcetype: "WinEventLog:Security"
+        "monitor:///opt/splunk/logs/firewall.log":
+          disabled: 0
+          index: main
+          sourcetype: firewall
+        "monitor:///opt/splunk/logs/aws_cloudtrail.json":
+          disabled: 0
+          index: main
+          sourcetype: "aws:cloudtrail"
           
     # Basic server configuration
     server:

config/inputs.conf

@@ -0,0 +1,36 @@
+[default]
+host = splunk_local
+
+# Monitor log files directly from Splunk
+[monitor:///opt/splunk/logs/*.log]
+disabled = false
+sourcetype = auto
+index = main
+recursive = true
+
+[monitor:///opt/splunk/logs/*.json]
+disabled = false
+sourcetype = auto
+index = main
+recursive = true
+
+# Specific source types for better parsing
+[monitor:///opt/splunk/logs/windows_security.log]
+disabled = false
+sourcetype = WinEventLog:Security
+index = main
+
+[monitor:///opt/splunk/logs/firewall.log]
+disabled = false
+sourcetype = firewall
+index = main
+
+[monitor:///opt/splunk/logs/dns_queries.log]
+disabled = false
+sourcetype = dns
+index = main
+
+[monitor:///opt/splunk/logs/aws_cloudtrail.json]
+disabled = false
+sourcetype = aws:cloudtrail
+index = main

config/system/local/inputs.conf

@@ -0,0 +1,84 @@
+[default]
+host = log_generators
+
+# Monitor all log files from generators
+[monitor:///var/log/app/*.log]
+disabled = false
+sourcetype = auto
+index = main
+
+[monitor:///var/log/app/*.json]
+disabled = false
+sourcetype = auto
+index = main
+
+# Specific configurations for better parsing
+[monitor:///var/log/app/windows_security.log]
+disabled = false
+sourcetype = WinEventLog:Security
+index = main
+
+[monitor:///var/log/app/windows_system.log]
+disabled = false
+sourcetype = WinEventLog:System
+index = main
+
+[monitor:///var/log/app/windows_application.log]
+disabled = false
+sourcetype = WinEventLog:Application
+index = main
+
+[monitor:///var/log/app/firewall.log]
+disabled = false
+sourcetype = firewall
+index = main
+
+[monitor:///var/log/app/dns_queries.log]
+disabled = false
+sourcetype = dns
+index = main
+
+[monitor:///var/log/app/web_access.log]
+disabled = false
+sourcetype = access_combined
+index = main
+
+[monitor:///var/log/app/syslog.log]
+disabled = false
+sourcetype = syslog
+index = main
+
+[monitor:///var/log/app/ldap_auth.log]
+disabled = false
+sourcetype = ldap
+index = main
+
+[monitor:///var/log/app/radius_auth.log]
+disabled = false
+sourcetype = radius
+index = main
+
+[monitor:///var/log/app/ssh_auth.log]
+disabled = false
+sourcetype = linux_secure
+index = main
+
+[monitor:///var/log/app/aws_cloudtrail.json]
+disabled = false
+sourcetype = aws:cloudtrail
+index = main
+
+[monitor:///var/log/app/azure_activity.json]
+disabled = false
+sourcetype = azure:activity
+index = main
+
+[monitor:///var/log/app/gcp_audit.json]
+disabled = false
+sourcetype = gcp:audit
+index = main
+
+[monitor:///var/log/app/application.json]
+disabled = false
+sourcetype = json
+index = main

docker-compose.yml

@@ -16,6 +16,7 @@ services:
       - splunk_etc:/opt/splunk/etc
       - splunk_var:/opt/splunk/var
       - ./config:/tmp/defaults
+      - ./logs:/opt/splunk/logs
     restart: unless-stopped
 
   # Optional: Universal Forwarder for testing log forwarding