Add Splunk documentation #386
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -28,6 +28,7 @@ keypair | |
| keyserver | ||
| Kubebuilder | ||
| LDIF | ||
| libmagic | ||
| LLDB | ||
| Mailcatcher | ||
| minio | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,104 @@ | ||
| # Splunk App | ||
|
|
||
| The Bitwarden Splunk app fetches event log data from the Bitwarden Public API and makes it available | ||
| in Splunk. | ||
|
|
||
| ## Requirements | ||
|
|
||
| - Docker. If you're using an Apple Silicon Mac, enable _Docker Desktop_ -> _Settings_ -> _General_ | ||
| -> _Use Rosetta for x86_64/amd64 emulation on Apple Silicon_ | ||
| - Python 3.8 or 3.9 | ||
| - [Poetry][poetry] | ||
| - libmagic (macOS only), available via homebrew: `brew install libmagic` | ||
| - A Bitwarden server with event logging configured and an enterprise organization. To set this up | ||
|
There was a problem hiding this comment.
There was a problem hiding this comment.
|
||
| locally, see the [Setup Guide](../server/guide.md) and [Event Logging](../server/events.md) | ||
|
|
||
| ## Set up and configuration | ||
|
|
||
| ### Configure your environment | ||
|
|
||
| 1. Clone the Github repository: | ||
|
|
||
| ``` | ||
| git clone https://github.com/bitwarden/splunk.git | ||
| ``` | ||
|
|
||
| 2. Navigate to the root of the repository: | ||
|
|
||
| ``` | ||
| cd splunk | ||
| ``` | ||
|
|
||
| 3. Activate the poetry shell: | ||
|
|
||
| ``` | ||
| poetry shell | ||
| ``` | ||
|
|
||
| 4. Tell poetry to use the required Python version: | ||
|
|
||
| ``` | ||
| poetry env use <executable> | ||
| ``` | ||
|
|
||
| Where `<executable>` is the executable for Python 3.8 or 3.9. If this is in your PATH variable | ||
| then you do not need to specify the full path. e.g. `poetry env use python3.8` | ||
|
|
||
|
There was a problem hiding this comment. i just did a fresh test and i think this should be the other way around. |
||
| 5. Install dependencies: | ||
|
|
||
| ``` | ||
| poetry install --with dev | ||
| ``` | ||
|
|
||
| ### Set up Splunk Enterprise | ||
|
|
||
| 1. Run Splunk Enterprise: | ||
|
|
||
| ``` | ||
| docker run --rm --platform linux/amd64 --name splunk -d -p 8001:8000 -p 8089:8089 -e SPLUNK_START_ARGS='--accept-license' -e SPLUNK_PASSWORD='password' splunk/splunk:latest | ||
| ``` | ||
|
|
||
| Please note this will set the admin password to `password`. This is for development purposes | ||
| only. | ||
|
|
||
| 2. Confirm that Splunk is running by navigating to http://localhost:8001 | ||
|
|
||
| ### Deploy the app | ||
|
|
||
| 1. Package the app: | ||
|
|
||
| ``` | ||
| ./package.sh | ||
| ``` | ||
|
|
||
| This will produce a packaged Splunk app in `output/bitwarden_event_logs.tar.gz` | ||
|
|
||
| 2. Deploy the app to Splunk: | ||
|
|
||
| ``` | ||
| ./deploy.sh | ||
| ``` | ||
|
|
||
| This will restart Splunk and it may take a few seconds to become available again after the script | ||
| is finished | ||
|
|
||
| 3. (optional) Check the logs for errors or for debugging purposes later: | ||
| ``` | ||
| docker exec -u splunk -it splunk tail -f /opt/splunk/var/log/splunk/bitwarden_event_logs_beta.log | ||
| ``` | ||
|
|
||
| ### Configure the app in Splunk | ||
|
|
||
| 1. Navigate to the Splunk web app: http://localhost:8001 | ||
|
|
||
| 2. Log in with the username `admin` and the password `password` | ||
|
|
||
| 3. Click on the _Apps_ -> _Bitwarden Event Logs_ | ||
|
|
||
| 4. Complete the setup. Refer to the [Bitwarden Help Center][Bitwarden Splunk SIEM] for more | ||
| information about configuration | ||
|
|
||
| You should now see your organization events in _Apps_ -> _Bitwarden Event Logs_ -> _Dashboards_. | ||
|
|
||
| [Bitwarden Splunk SIEM]: https://bitwarden.com/help/splunk-siem/ | ||
| [poetry]: https://python-poetry.org/docs/#installation | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have just tested other python versions and it works fine with 3.7-3.10
In 3.11 and 3.12 the
./package.shstep produces an error during splunk-appinspect package validation - looks like the splunk tooling is not compatible with never versions of python.Also let's add 3.7, even though it's EOL, since it's it is still supported by Splunk.