MetaFlows developed a splunk application to receive all sensor events on Splunk through an SSL encrypted channel called metaflows-syslog. The events are automatically categorized as follows:
High Priority Events
Network Logs (3rd party logs sent to the sensors)
File Transmission Analysis
Suspicious URL Transmission Analysis
Events volumes are also broken down by addresses, ports and other important invariants like sensor names, domains types, applications, etc.. It is possible to click on all summary records fileds to either drilldown on Splunk or drill down on the MetaFlows' web application to obtain more detailed forensic information like packets payloads.
Splunk app Installation
-- App Installtion --
The app is available from SplunkWeb. Please download and install the application using your Splunk application manager. The app receives syslog messages on tcp port 3015 encapsulated using SSL. The default installation includes a generic self-signed SSL certificate in the cert directory. This certifcate was generated using the commands:
$SPLUNK_HOME/bin/genRootCA.sh -d $SPLUNKHOME/etc/apps/SplunkforMetaFlows/certs
$SPLUNK_HOME/bin/genSignedServerCert.sh -d $SPLUNKHOME/etc/apps/SplunkforMetaFlows/certs -n splunk -p
We recommend you generate a new SSL ceritificate using your own phassphrase by repeating the commands above.
The passphrase you enter when generating the certificate should then be placed in $SPLUNK_HOME/etc/apps/SplunkforMetaFlows/default/inputs.conf under the [SSL] stanza as:
password = <yourpassword>
-- Sensor Configuration --
In order for Splunk to receive MetaFlows's sensors event you need to add the following line to your /nsm/etc/mss.sh startup script
where <splunk_host_ip_address> is the ip address of the host where Splunk is running. After this, restart your sensor(s) with the command
Make sure that tcp port 3015 is open and the sensor can communicate with your Splunk host.
Added documentation regarding SSL certificate.
Placed Build number in correct stanza
Must process events originating from metaflows sensors on port 3015
Drilldown only supports SaaS accounts on nsm.metaflows.com
Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 50GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.