Splunk Data Import from t-pot
Table of Contents
- Compression
- SCP Download
- Add data to Splunk
- Debrief
1) Compression
I first log into my AWS VM through SSH using my key.
ssh -i <key> admin@<ipaddress>
I then compressed the data I needed to save with the command:
sudo tar -zcvf honeypot-data.tar.gz /data/
Once the compression was complete I terminated the connection.
I made sure to note the directory of where the compressed data file was located.
2) SCP Download
I then process to download the file I just made using SCP and my key with the command:
scp -i <KEY_FILE> -P <port>admin@<IP.ADDRESS>:/PATH-TO-TAR/File ~/Desktop/File
Be sure to change permissions and extract the tar file after the download:
chmod 777 File
tar -zxvf File
3) Add data to Splunk
I navigate to the Add Data option:
Upload:
Select File then choose the File you want to upload:
Hit Next and change the Source Type to JSON:
This will allow me to view and filter data more efficiently:
I created a new index to organize my data for future filters:
I hit submit after verifying the Review:
Congratulaions!
4)Debrief
I compressed my collected data from my t-pot VM on AWS and transferred it using SCP to my local desktop. I then uploaded it to Splunk in order to continue my data analysis.
- Thanks for taking the time to read this and contact me for any information or recommendations.*
