Splunk Data Import from t-pot

Table of Contents

  1. Compression
  2. SCP Download
  3. Add data to Splunk
  4. Debrief

1) Compression

I first log into my AWS VM through SSH using my key.

ssh -i <key> admin@<ipaddress>

I then compressed the data I needed to save with the command:

sudo tar -zcvf honeypot-data.tar.gz /data/

Once the compression was complete I terminated the connection.

I made sure to note the directory of where the compressed data file was located.

2) SCP Download

I then process to download the file I just made using SCP and my key with the command:

scp -i <KEY_FILE> -P <port>admin@<IP.ADDRESS>:/PATH-TO-TAR/File ~/Desktop/File

Be sure to change permissions and extract the tar file after the download:

chmod 777 File

tar -zxvf File

3) Add data to Splunk

I navigate to the Add Data option:

Upload:

Select File then choose the File you want to upload:

Hit Next and change the Source Type to JSON:

This will allow me to view and filter data more efficiently:

I created a new index to organize my data for future filters:

I hit submit after verifying the Review:

Congratulaions!

4)Debrief

I compressed my collected data from my t-pot VM on AWS and transferred it using SCP to my local desktop. I then uploaded it to Splunk in order to continue my data analysis.

  • Thanks for taking the time to read this and contact me for any information or recommendations.*

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store