This TA enables a direct tcpdump input on a linux system running Splunk Universal Forwarder.
Method 1: scripted input
Method 2: run tcpdump as a service and write output to a log
Running tcpdump permanently is a security risk. Don't run it on important productive systems. All what you do with this add-on is on your own risk.
Please email me email@example.com if you have any issues. I actively support my apps and am anxious to receive any feedback.
* tcpdump captures now on all interfaces (excluding localhost - host 127.0.0.1) - no need to modify settings to adjust interface anymore
* alternatively to scripted input a second method was added: running tcpdump as a systemd service, writing output into /var/log/tcpdump.log and letting splunk to monitor this log. A unit file template for /etc/systemd/system is provided.
* added a template file for /etc/logrotate.d/tcpdump to truncate the /var/log/tcpdump.log file
* documentation is updated
first public release, consider it a beta
Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.