SECURITY

AfterGlow and Splunk

AfterGlowHave you ever looked into visualizing your IT data? If you have been using Splunk 3.0 and you have been using the enhanced reporting, your answer would be yes. Maybe you have heard of, or even worked with a tool called AfterGlow. This is a tool that I co-authored with one of my old co-workers. AfterGlow is a tool that helps you visualize your IT data as link graphs. It is extremely simple to use. It is completely command line driven, uses CSV as input and generates a DOT description for a graph, according to some predefined conditions that are provided in the form of a properties file. the DOT file can then be visualized with one of many tools, such as GraphViz. You can find some examples on SecViz – look for the link graphs.

I have recently built an integration between Splunk and AfterGlow. If you are a complete command line junky, here is how to use Splunk with AfterGlow through Splunk’s CLI:

./splunk search "ipfw | fields + SourceAddress DestinationAddress DestinationPort" -auth admin:changeme | awk ‘{printf"%s,%s,%s\n",$1,$2,$3}’ | afterglow -c properities -b 2 | neato -Tgif -o /tmp/test.gif

Too complicated? Well, maybe. But keep in mind, this is extremely powerful, at each stage in the pipeline, you can change the data to whatever you need it. You also don’t need anything else than a working Splunk and AfterGlow installation. If you would prefer a nicer solution, I built a command for Splunk to hide the afterglow logic. What you have to do is the following:

  1. Download AfterGlow. Make sure you are using Version 1.5.9 (It’s available, I just didn’t officially announce it yet ;(
  2. Install Splunk and install my AfterGlow Bundle.
  3. If you downloaded AfterGlow 1.5.9, you don’t need to patch AfterGlow, otherwise do so as described in the README.
  4. Make sure you have GraphViz installed and it is working.
  5. UPDATE: Go into $SPLUNK_HOME/etc/searchscripts and edit afterglow.py:
    • Update the afterglowLocation to where you installed afterglow
    • Update the afterglowParameter, use AfterGlow 1.5.9 and update the path to your configuration file
    • Update the targetDir location to point to your Splunk install’s oxiclean/static directory.
    • Make sure your afterglow properties file contains the following line:
    • url=http://localhost:8000/?q=\N%20starthoursago%3A%3A24

    • I hope this will fix things!
  6. Construct a search in Splunk that returns three fields. For example
    ipfw | fields + SourceAddress DestinationAddress DestinationPort

I did this by using the ipfw bundle. The idea is simply that you use the fields command to extract two or three fields from your log entries. Once you have this working, simply add: “| afterglow” to your search. This will pipe the search result through the new afterglow command. You should now get one event back which is comprised of just a single field. Click on the associated action and choose: “Show AfterGlow Graph”. This should open a new window which contains a link graph with your data. Also note how you can click on the nodes and it will take you back in to Splunk and search for that node’s value. This completes a complete bi-directional integration between the two tools.

Let me know how this works for you and share your graphs with me! Even better, put your graphs on SecViz!

UPDATE: If you are getting errors, check the comments for this post!

By Raffael Marty

Splunk
Posted by

Splunk

Join the Discussion