AWS Web Application Firewall Add-on Notes.md 1.3 KB
AWS Web Application Firewall Add-on
Download the AWS Web Application Firewall Add-on
Install onto CM and SH
Installing onto cluster master:
scp aws-web-application-firewall-add-on_101.tgz dev-moose-splunk-cm:
ssh dev-moose-splunk-cm
tar xvzf aws-web-application-firewall-add-on_101.tgz
sudo mv TA-aws_waf /opt/splunk/etc/master-apps/
sudo mkdir /opt/splunk/etc/master-apps/TA-aws_waf/local
sudo vim /opt/splunk/etc/master-apps/TA-aws_waf/local/inputs.conf
Generate a HEC token via uuidgen (or uuidgen | tr '[:upper:]' '[:lower:]' if you prefer lowercase)
[http://aws_waf_logs]
disabled = 0
index = test
indexes = test
sourcetype = aws:waf
useACK = 1
token = <TOKEN_HERE>
sudo chown -R splunk:splunk /opt/splunk/etc/master-apps/TA-aws_waf/
sudo -u splunk /opt/splunk/bin/splunk btool check
sudo -u splunk /opt/splunk/bin/splunk validate cluster-bundle
sudo -u splunk /opt/splunk/bin/splunk show cluster-bundle-status
sudo -u splunk /opt/splunk/bin/splunk
Installing onto SH
scp aws-web-application-firewall-add-on_101.tgz dev-moose-splunk-sh:
ssh dev-moose-splunk-sh
tar xvzf aws-web-application-firewall-add-on_101.tgz
sudo mv TA-aws_waf /opt/splunk/etc/apps/
sudo chown -R splunk:splunk /opt/splunk/etc/apps/TA-aws_waf
sudo -u splunk /opt/splunk/bin/splunk restart