🖥️
Portfolio
  • About me
  • My Mission
  • License
  • Homelab
    • Server rack
      • Pictures
      • Hardware and software inventory
    • Test range
      • Malware lab
        • Remnux and Flare VM installation
      • Proxmox
        • How to backup VM's in Proxmox
      • Breach and Attack Simulation (BAS)
        • Install MITRE Caldera
        • MITRE Caldera demo
        • Install Atomic Red team
    • SIEM Architecture
      • ELK installation
      • Splunk install and configuration
      • Forwarding Sysmon logs to Splunk
      • Cribl Edge -> Cribl Stream
      • Cribl Edge -> Splunk
      • Cribl -> Amazon S3 bucket
    • Raspberry Pi
      • Cloudflare DDNS
      • OpenVPN on Raspberry Pi
      • Pi-Hole
      • Raspberry Pi project ideas
    • Privacy
  • CTF
    • Machines
      • MongoDB
      • Explosion
      • Lame
      • Preignition
      • Jerry
      • Synced
      • Appointment
      • Blue
      • Sequel
      • Netmon
    • PicoCTF
    • Exploit tool definitions
    • Cheat sheets
      • tmux
      • Linux
  • Cybersecurity
    • Purple team content
      • Detecting Discovery commands
    • Detection As Code (DAC)
      • Sigma CI/CD
      • DAC with Elastic SIEM
    • Use case repositories
    • Frameworks
    • Tools
    • Online resources
      • MITRE
      • Splunk
      • Machine Learning
      • Ethical Hacking
      • Podcasts
      • Threat Reports
      • Detection Engineering articles
  • AI/ML
    • Tools
      • D.I.A.N.A
      • Fabric
      • Run Ollama locally
      • Using Ollama & Fabric to build Sigma rules
    • Custom prompts
      • Lessons Learned
      • Create Sigma rules
  • Scripts
    • Python
      • Elastic DAC pipeline
  • Cloud projects
    • Cloud Resume Challenge - AWS
  • BOOK CLUB
    • Lists
Powered by GitBook
On this page
  1. Homelab
  2. SIEM Architecture

Cribl Edge -> Splunk

PreviousCribl Edge -> Cribl StreamNextCribl -> Amazon S3 bucket

Last updated 6 months ago

In this blog, we will demonstrate how to send Cribl Edge logs to Splunk using the HTTP Event Collector (HEC). HEC is a Splunk feature that allows you to send data and application events to your Splunk deployment over HTTP or HTTPS protocols using token-based authentication.

To start, ensure you have a source ingesting logs of your choice. Refer to blog to review how to set up log sources in Cribl. In this example, we are ingesting Windows Event logs into a Cribl Edge instance.

Navigate to your Splunk instance, go to "Settings" > "Indexes," and click "New index."

Enter the index name as "Cribl," or choose a different name for your index.

Next, we need to configure HEC in the Splunk console. Go to "Settings" > "Data inputs" and click on "HTTP Event Collector."

Select "New token" in the upper right-hand corner.

The name can be whatever you choose for the HEC connection; the other options can be left as default.

Next, select the "Cribl" index we created earlier, and define a new source type or use an existing one.

Select "Review," then "Submit" to view your token. Copy this so we can use it in our Cribl instance.

Navigate back to your Cribl Edge instance. Under "Destinations," select "HEC."

Click "Add destination."

Fill out the following details:

  • OutputID: The name of your destination

  • HEC endpoint: The IP address of your Splunk instance

  • Authentication method: We will use "Manual" in this example

  • HEC auth token: The token you copied in earlier steps

Complete the form and click "Save."

Go to the "Data Routes" section within Cribl, and create a new route with any name you desire. Fill out the following:

  • Route name: The name you choose

  • Filter: The log sources you want to allow through the route

  • Pipeline: Select which pipeline you want to send the logs through; there is a default option for Windows Event logs

  • Output: Select the name of the HEC destination you created in Cribl

We can go back to Cribl Destinations to run a quick test signal.

Navigate to your Splunk search bar and type index=cribl to see the ingested logs.

this
Windows Event logs are currently being sent to "DevNull", a testing destination