TIPS & TRICKS

How to use Notifo to receive Splunk alerts on your iPhone

Splunk By Splunk August 16, 2010

In this article I’ll describe how I use Splunk and Notifo to alert me whenever someone tries to login to my system with invalid credentials. Notifo is push-based notification service for mobile phones, in our example we’ll be using the iPhone.

Overview

  1. Setup a Notifo account.
  2. Install the Notifo app on your iPhone.
  3. Install the notifo.py Python module.
  4. Install the splunknotifo.py Python alert script.
  5. Setup splunknotifo.py
  6. Setup saved search.

Assumptions

  • This process assumes that you’ve got Splunk installed and monitoring a file containing sshd log messages.

Steps

  1. Browse to https://notifo.com/user/register to setup a Notifo account.
  2. Browse to https://notifo.com/user/login, login, and visit the Settings page.
  3. Locate and record your API Secret (screenshot)
  4. From your desktop or your iPhone browse to the iTunes App Store to install and configure the Notifo app.
  5. On the system running Splunk, download and install the notifo.py Python module (screenshot):
    ~$ cd /usr/local/src
    /usr/local/src$ git clone git://github.com/mrtazz/notifo.py.git
    /usr/local/src$ cd notifo.py
    /usr/local/src/notifo.py$ $SPLUNK_HOME/bin/splunk cmd python setup.py install
  6. On the system running Splunk, download the splunknotifo.py Python alert script (screenshot):
    ~$ cd $SPLUNK_HOME/bin/scripts
    /opt/splunk/bin/scripts$ get http://github.com/ampledata/soss/raw/master/splunknotifo/splunknotifo.py
    /opt/splunk/bin/scripts$ get http://github.com/ampledata/soss/raw/master/splunknotifo/splunknotifo_conf-default-.py
  7. Configure splunknotifo_conf.py with your Notifo APIUsername and APISecret (see step #3 above):
    ~$ cd $SPLUNK_HOME/bin/scripts
    /opt/splunk/bin/scripts$ mv splunknotifo_conf-default-.py splunknotifo_conf.py
    /opt/splunk/bin/scripts$ vim splunknotifo_conf.py
  8. Using the Splunk web interface, search for the term(s) you’d like to match and click Actions >> Save search… (screenshot).
  9. Enter the parameters for your Saved Search:
  10. Done!

To Test

  1. Generate some sshd log messages.
  2. You should get an alert on your iPhone like this:


----------------------------------------------------
Thanks!
Greg Albrecht

Splunk
Posted by

Splunk