Splunk Data Import from t-pot

Table of Contents

  1. Compression
  2. SCP Download
  3. Add data to Splunk
  4. Debrief

1) Compression

I first log into my AWS VM through SSH using my key.

ssh -i <key> admin@<ipaddress>

I then compressed the data I needed to save with the command:

sudo tar -zcvf honeypot-data.tar.gz /data/

Once the compression was complete I terminated the connection.

I made sure to note the directory of where the compressed data file was located.

2) SCP Download

I then process to download the file I just made using SCP and my key with the command:

scp -i <KEY_FILE> -P <port>admin@<IP.ADDRESS>:/PATH-TO-TAR/File ~/Desktop/File

Be sure to change permissions and extract the tar file after the download:

chmod 777 File

tar -zxvf File

3) Add data to Splunk

I navigate to the Add Data option:

Upload:

Select File then choose the File you want to upload:

Hit Next and change the Source Type to JSON:

This will allow me to view and filter data more efficiently:

I created a new index to organize my data for future filters:

I hit submit after verifying the Review:

Congratulaions!

4)Debrief

I compressed my collected data from my t-pot VM on AWS and transferred it using SCP to my local desktop. I then uploaded it to Splunk in order to continue my data analysis.

  • Thanks for taking the time to read this and contact me for any information or recommendations.*

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Dante E. Mata

Dante E. Mata

Experienced Cyber Intelligence Analyst with a demonstrated history of working in the US Military and IT industry with a focus in Cyber Security.