Splunk Integration with MHN Addon

Dashboarding and Splunking in the early hours of the morning

The Splunk Modern Honeypot Network add-on is a great addition to your MHN installation. You will need to have Splunk installed. Once you have that completed come back here and finish the MHN add-on install

Download the MHN add-on from splunkbase

Installing your download. To install apps and add-ons from within Splunk Enterprise

1. Log into Splunk Enterprise.
2. On the Apps menu, click Manage Apps.
3. Click Install app from file.
4. In the Upload app window, click Choose File.
5. Locate the .tar.gz file you just downloaded, and then click Open or Choose.
6. Click Upload.
7. Click Restart Splunk, and then confirm that you want to restart.

Okay so now you will have The MHN add-on installed but nothing feeding. you will need run the install_hpfeeds-logger-splunk script to get this hooked up.

Install hpfeeds-logger-splunk

cd /opt/mhn/scripts/
sudo ./install_hpfeeds-logger-splunk

Okay you are almost there. now we need to configure Splunk to read the hpfeeds log files.

Login to your Splunk web console and Navigate to: Apps > Manage Apps > Install App From File. Select New and paste this in the File or Directory box: /var/log/mhn/mhn-splunk.log

Make sure “Continuously monitor” is selected. click next and accept all the defaults.

In the next post we will add a cool missile map!

-SmUrF3R5