Splunk MSCAS Notes.md 2.7 KB
For smart and final customer
https://jira.mdr.defpoint.com/browse/MSOCI-890 https://docs.microsoft.com/en-us/cloud-app-security/siem https://splunkbase.splunk.com/app/3110/
sourcetype=microsoft:cas index=app_mscas sourcetype="microsoft:cas"
/opt/syslog-ng/mcas/afssplhf103.us.accenturefederal.com/log /opt/syslog-ng/mcas/afssplhf103.us.accenturefederal.com/log/2019-09-11/afsspaf101.us.accenturefederal.com/afsspaf101.us.accenturefederal.com/security.log
start EC2 instance then build docker container is this just a HF or is it syslog-ng also? two docker containers one for syslog and one for one docker container for java and one for Splunk HF
java agent to send to syslog-ng
ec2 instance ms-cas t2.small install docker add java docker container add java code to container
Going to try openjdk because oracle java requires login to pull the images https://hub.docker.com/_/openjdk docker pull openjdk
JAVA Command java -jar mcas-siemagent-0.87.20-signed.jar [--logsDirectory DIRNAME] [--proxy ADDRESS[:PORT]] --token TOKEN &
Docker commands cd docker image build -t customjava . docker run -d --name customjava --volume /root/java:/logs -t customjava
FROM openjdk:12 COPY . /usr/src/myapp WORKDIR /usr/src/myapp RUN mkdir /logs VOLUME /logs RUN echo "This is the place" > /logs/thisisit.txt CMD java -jar mcas-siemagent-0.111.126-signed.jar --token yourmom --logsDirectory /logs
Because we are using a custom docker image we would like it to be stored in the docker repo. this is the headache.
DUANE! MS CAS has a dumb little java agent It has to connect to MS servers, and output CAS data via syslog - it can't do anything else [ and they don't publicize the API it uses ] so, our approach was to run dumb little java agent in a docker container, on customer premises in the POP
we have a POP node in smart and final called the "data collection node" (dcn) (and evolution just for crap like this) but it's become a huge yak that needs shaved to run the agent I need a container so I made a container to run the container I need to upload the container to a registry so I uploaded it to a our registry now to give the nodes on customer prem access to the registry they need AWS API credentials to give them API creds I need to be able to distribute said creds from the salt master to distribute them from the master, I need , and decided on GPG encrypted pillars before I could enable encrypted pillars I needed to clean up the salt master config files which is done so I can finish the encrypted pillars, give creds to the DCN node, connect it to the registry, get the container running