collect grr results for analytics using ELK/ Splunk /etc.

Question

collect grr results for analytics using ELK/ Splunk /etc.

arimb00r opened this issue 4 years ago · comments

arimb00r commented 4 years ago

what are the options for 3rd party applications ELK/ Splunk /etc to connect GRR DB for analytics, visualization, etc.

Joachim Metz · Answer 1 · Wed Feb 19 2020 15:18:27 GMT+0800 (China Standard Time)

@arimb00r what type of analytics, visualization, etc. are you thinking about?

We use plaso / dfTimeWolf / TimeSketch for our needs but not sure if those match your use case(s)

Denver Ogaro · Answer 2 · Wed Feb 19 2020 17:31:38 GMT+0800 (China Standard Time)

We plan on adding an output plugin for Splunk some time this year. @max-vogler should know more.

Max Vogler · Answer 3 · Wed Feb 19 2020 17:57:06 GMT+0800 (China Standard Time)

Yes, as said in #757, I will open-source a Splunk OutputPlugin in the next weeks.

Generally, if you want to connect GRR to other systems, OutputPlugins are the way to go. We have existing ones for BigQuery, CSV, SQLite, and YAML. Furthermore, we support monitoring with Prometheus

arimb00r · Answer 4 · Thu Feb 20 2020 21:33:25 GMT+0800 (China Standard Time)

awesome .....

Max Vogler · Answer 5 · Tue Feb 25 2020 00:38:41 GMT+0800 (China Standard Time)

SplunkOutputPlugin is available in HEAD and documented at Output Plugins.

arimb00r · Answer 6 · Wed Mar 11 2020 17:48:45 GMT+0800 (China Standard Time)

when I update the file /etc/grr/server.local.yaml with the following, the GRR is not starting

Splunk.url: https://192.168.0.100:8088
Splunk.token: bb7e1f36-8d57-4d3c-8ef5-5b2de06cdee4

Max Vogler · Answer 7 · Wed Mar 11 2020 18:17:26 GMT+0800 (China Standard Time)

Please open an issue with logs including error messages and a detailed description of your setup.