I’m Giovanni merlos Mellini and this is my personal blog.
I’m the founder and president of Cyber Saiyan a no profit organization I founded together with other friends in December 2017.
Since 2018 we organize RomHack a cyber security conference held yearly in Rome.
I occasionally speak on public community events, schools and universities:
- Cyber Saiyan Live (April 2021) Hands [off|on] MS cloud services (slides) [italian] – I spoke about cloud hunting methodologies and architecture
- Rev3rse Security Live (December 2020) You take the blue pill… and I show you how deep defense goes (slides) [italian]
- Codemotion Rome 2019 Lifecycle of a security incident: from detection to response (slides and video)
- RomHack 2018 Cyber Saiyan – Live Demo [italian]
- Italian Hacker Camp IHC 2018 La condivisione delle informazioni, uno strumento efficace per la detection degli eventi di sicurezza [italian]
- Università di Pisa La difesa, un approccio pratico alla detection usando strumenti di info sharing [italian]
- Liceo “Francesco Redi” Arezzo Tecniche di attacco e di difesa – La Protezione [italian]
- BSides Rome 2018 Building an Effective Info Sharing Community [italian]
- HackInBo 2017 Spring edition L’evoluzione del SOC di un’infrastruttura critica [italian]
I had my Internet glory days when I hacked a BT Low Energy (BLE) butt plug.
Sometimes I write about open source, security and boring stuff on this blog.
You can send me a secure email to giovanni [dot] mellini [at] protonmail [dot] com using my public PGP signature available here.
Hi Giovanni,
I have been working through your document on integrating MineMeld with Splunk. We would like to do the exact same thing here. So far, I have not run into any issues, but I do have a question. On the 4th post, you have this:
From prototypes page, clone the stdlib.localLogStash prototype to a new one minemeldlocal.LOG-TO-SPLUNK. While cloning change the 2 prototype parameters as follow:
logstash_host: ;
logstash_port: 1534 (or any port where Splunk will listen for MineMeld data).
When you say , do you mean the IP address of an indexer or a search head? I am assuming that it is a search head (we have 3 here), is that correct?
Sincerely,
Jon
LikeLike
Hi Jon
good to ear you did the integration 🙂
> When you say , do you mean the IP address of an indexer or a search head? I am assuming that it is a search head (we have 3 here), is that correct?
It depends from your architecture.
In my case I send the data from the output node to an HA Heavy forwarders cluster that I use to forward logs to Indexers cluster in case I cannot install Splunk agents (eg. Firewall or Minemeld output node).
I need to send Minemeld logs in a reliable way, like the splunk agent does on the remote clients/servers while load balancing indexers.
So the IP logstash_host is the Heavy Forwarders VIP made on top of a DRBD cluster of 2 heavy forwarders.
To the heavy forwarders I push a small application (from my deployment server) that just sends data received on the tcp port to the Indexer cluster
etc/apps/forw_portsinput/default/inputs.conf
[tcp://:1534]
sourcetype=minemeld_ioc
index=minemeld_ioc
etc/apps/Hforw-conf/default/outputs.conf
[tcpout]
defaultGroup = default-autolb-group
#indexers
[tcpout:default-autolb-group]
server=INDEXER1:9997,INDEXER2:9997
autoLB = true
So you have a reliable and HA architecture.
I don’t send any log directly to the Search Heads because you need to index the data in the indexer cluster so any SH can access it with the right authorization.
Hope is clear
Giovanni
LikeLike
Hi Giovanni,
I see… we have a slightly different environment. We have 3 non-clustered search heads, 3 clustered indexers, and 1 cluster master. We have all of our log sources sending syslog to a RHEL syslog-ng system running a light forwarder and not the heavy forwarder. Syslog-ng is setup to filer the logs so we don’t need to use the heavy forwarder. Thus, I am assuming that I need to set “logstash_host: ;” to the IP address of our syslog-ng server? I would also need to install the the TA on the syslog-ng server as well?
Thanks Again!
Jon
LikeLike
> Thus, I am assuming that I need to set “logstash_host: ;” to the IP address of our syslog-ng server? I would also need to install the the TA on the syslog-ng server as well?
Yes in this case you need to send the logs to the syslog server but I’m not sure if the TA works here, you need to try 🙂
LikeLike
Thank you, I will give it a shot and let you know how it works out.
LikeLike