App to extract web attack records from xml-reports generated by IPA's iLogScanner.
- Logon to your Splunk and go to "Manage Apps".
- Click either "Install app from file" or "Browse more apps".
- "Install app from file"
- Upload this app's tar.gz, which you should have gotten either from splunkbase or github beforehand.
- "Browse More Apps"
- Search this app using the keywords like "iLogScanner" or "IPA", and then follow the instruction shown in the modal.
The inputs to this app are supposed to be xml reports generated by IPA's iLogScanner. Below is an usage example of iLogScanner, which detects suspicious or malicious access from apache access log, and generates a report in the form of xml based upon the detection result.
./iLogScanner.sh mode=cui logtype=apache accesslog=path/to/access_log outdir=output reporttype=xml level=detail
- Prepare reports explained above.
- Put the reports under $SPLUNK_BASE/etc/apps/app_ilog-scanner/xml.
- Go "Settings" >> "Data inputs" >> "Files & Directories".
- Either Enable or Modify $SPLUNK_HOME/etc/apps/app_ilog-scanner/xml.
- Enable
- Just click "Enable" for $SPLUNK_HOME/etc/apps/app_ilog-scanner/xml. The data will be indexized into main. Preparation is done, and no need to go through the next few steps.
- Modify
- Click $SPLUNK_HOME/etc/apps/app_ilog-scanner/xml" to change the index, into which the data will be indexized. If it's changed, macro should also be modified accordingly.
- Go "Advanced search" >> "Search macros", and click "ilog"
- Modify definition to specify the index changed in the step 6.