This repository has been archived by the owner on Feb 15, 2024. It is now read-only.
Document test Splunk alert recipe #6
Labels
documentation
Improvements or additions to documentation
Milestone
Comments
|
A workaround is to setup a search that will nearly always succeed in providing results in the expected format:
This isn't immediate, but once enabled the alert will continue to trigger at set intervals giving you a chance to compare those timed submissions. |
|
In the end I don't think we'll implement this, but documenting the suggested Alert conditions within Splunk to trigger test payloads seems like a worthwhile TODO item. Will change the focus of this issue to cover that task. |
atc0005
changed the title
atc0005
added a commit
that referenced
this issue
May 23, 2020
Features of the initial prototype release:
- Highly configurable (with more configuration choices to be exposed
in the future)
- Supports configuration settings from multiple sources
- command-line flags
- environment variables
- configuration file
- reasonable default settings
- Ignore individual usernames (i.e., prevent disabling listed accounts)
- Ignore individual IP Addresses (i.e., prevent disabling associated
account)
- User configurable logging settings
- levels, format and output
- Microsoft Teams notifications
- generated for multiple events
- alert received
- disabled user
- ignored user
- ignored IP Address
- error occurred
- configurable retries
- configurable notifications delay in order to respect remote API
limits
- Logging
- Payload receipt from monitoring system
- Action taken due to payload
- username ignored
- due to username inclusion in ignore file for usernames
- due to IP Address inclusion in ignore file for IP Addresses
- username disabled
- contrib files/content provided to allow for spinning up a demo
environment in order to provide a hands-on sense of what this
project can do
- fail2ban
- postfix
- docker
- Maildev container
- brick
- rsyslog
- systemd
- sample JSON payloads for use with curl or other http/API clients
- demo environment doc
- slides from group presentation/demo
Worth noting:
- Go modules (vs classic GOPATH setup)
- GitHub Actions Workflows which apply linting and build checks
- Makefile for general use cases (including local linting)
- Note: See README first if building on Windows
refs:
- GH-26
- GH-21
- GH-16
- GH-15
- GH-13
- GH-12
- GH-11
- GH-7
- GH-6
- GH-4
- GH-1
atc0005
added a commit
that referenced
this issue
May 23, 2020
Features of the initial prototype release:
- Highly configurable (with more configuration choices to be exposed
in the future)
- Supports configuration settings from multiple sources
- command-line flags
- environment variables
- configuration file
- reasonable default settings
- Ignore individual usernames (i.e., prevent disabling listed accounts)
- Ignore individual IP Addresses (i.e., prevent disabling associated
account)
- User configurable logging settings
- levels, format and output
- Microsoft Teams notifications
- generated for multiple events
- alert received
- disabled user
- ignored user
- ignored IP Address
- error occurred
- configurable retries
- configurable notifications delay in order to respect remote API
limits
- Logging
- Payload receipt from monitoring system
- Action taken due to payload
- username ignored
- due to username inclusion in ignore file for usernames
- due to IP Address inclusion in ignore file for IP Addresses
- username disabled
- contrib files/content provided to allow for spinning up a demo
environment in order to provide a hands-on sense of what this
project can do
- fail2ban
- postfix
- docker
- Maildev container
- brick
- rsyslog
- systemd
- sample JSON payloads for use with curl or other http/API clients
- demo environment doc
- slides from group presentation/demo
Worth noting:
- Go modules (vs classic GOPATH setup)
- GitHub Actions Workflows which apply linting and build checks
- Makefile for general use cases (including local linting)
- Note: See README first if building on Windows
refs:
- GH-26
- GH-21
- GH-16
- GH-15
- GH-13
- GH-12
- GH-11
- GH-7
- GH-6
- GH-4
- GH-1
atc0005
added a commit
that referenced
this issue
May 23, 2020
Features of the initial prototype release:
- Highly configurable (with more configuration choices to be exposed
in the future)
- Supports configuration settings from multiple sources
- command-line flags
- environment variables
- configuration file
- reasonable default settings
- Ignore individual usernames (i.e., prevent disabling listed accounts)
- Ignore individual IP Addresses (i.e., prevent disabling associated
account)
- User configurable logging settings
- levels, format and output
- Microsoft Teams notifications
- generated for multiple events
- alert received
- disabled user
- ignored user
- ignored IP Address
- error occurred
- configurable retries
- configurable notifications delay in order to respect remote API
limits
- Logging
- Payload receipt from monitoring system
- Action taken due to payload
- username ignored
- due to username inclusion in ignore file for usernames
- due to IP Address inclusion in ignore file for IP Addresses
- username disabled
- contrib files/content provided to allow for spinning up a demo
environment in order to provide a hands-on sense of what this
project can do
- fail2ban
- postfix
- docker
- Maildev container
- brick
- rsyslog
- systemd
- sample JSON payloads for use with curl or other http/API clients
- demo environment doc
- slides from group presentation/demo
Worth noting:
- Go modules (vs classic GOPATH setup)
- GitHub Actions Workflows which apply linting and build checks
- Makefile for general use cases (including local linting)
- Note: See README first if building on Windows
refs:
- GH-26
- GH-21
- GH-16
- GH-15
- GH-13
- GH-12
- GH-11
- GH-7
- GH-6
- GH-4
- GH-1
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Not sure if Splunk or Graylog support remote queries. This might not be within the final scope of this project to have this as a primary feature, but when actively developing the initial version of this application it could be useful to trigger these queries remotely.
The text was updated successfully, but these errors were encountered: