-
Recent Posts
- How to ease your System Administration email workload with Splunk
- It’s time to give up the 44.x.x.x address block
- San Francisco Public-Safety Answering Point
- How to install Chef on Solaris 10
- How to single boot Ubuntu 10.04 Lucid Lynx on a MacBook Pro
Greg@Large
- My Facebook Profile
- My Github Profile
- My LinkedIn Profile
- My Yelp Reviews
How to use Notifo to receive Splunk alerts on your iPhone
- August 16, 2010 – 22:00
- Posted in Uncategorized
In this article I’ll describe how I use Splunk and Notifo to alert me whenever someone tries to login to my system with invalid credentials. Notifo is push-based notification service for mobile phones, in our example we’ll be using the iPhone.
Overview
- Setup a Notifo account.
- Install the Notifo app on your iPhone.
- Install the notifo.py Python module.
- Install the splunknotifo.py Python alert script.
- Setup splunknotifo.py
- Setup saved search.
Assumptions
- This process assumes that you’ve got Splunk installed and monitoring a file containing sshd log messages.
Steps
- Browse to https://notifo.com/user/register to setup a Notifo account.
- Browse to https://notifo.com/user/login, login, and visit the Settings page.
- Locate and record your API Secret (screenshot)
- From your desktop or your iPhone browse to the iTunes App Store to install and configure the Notifo app.
- On the system running Splunk, download and install the notifo.py Python module (screenshot):
~$ cd /usr/local/src
/usr/local/src$ git clone git://github.com/mrtazz/notifo.py.git
/usr/local/src$ cd notifo.py
/usr/local/src/notifo.py$ $SPLUNK_HOME/bin/splunk cmd python setup.py install
- On the system running Splunk, download the splunknotifo.py Python alert script (screenshot):
~$ cd $SPLUNK_HOME/bin/scripts
/opt/splunk/bin/scripts$ get github.com/ampledata/soss/raw/master/splunknotifo/splunknotifo.py
/opt/splunk/bin/scripts$ get github.com/ampledata/soss/raw/master/splunknotifo/splunknotifo_conf-default-.py
- Configure splunknotifo_conf.py with your Notifo APIUsername and APISecret (see step #3 above):
~$ cd $SPLUNK_HOME/bin/scripts
/opt/splunk/bin/scripts$ mv splunknotifo_conf-default-.py splunknotifo_conf.py
/opt/splunk/bin/scripts$ vim splunknotifo_conf.py
- Using the Splunk web interface, search for the term(s) you’d like to match and click Actions >> Save search… (screenshot).
- Enter the parameters for your Saved Search:
- Done!
To Test
- Generate some sshd log messages.
- You should get an alert on your iPhone like this:
Leave a Reply Cancel reply
Fill in your details below or click an icon to log in:
You are commenting using your WordPress.com account. ( Log Out / Change )
You are commenting using your Twitter account. ( Log Out / Change )
You are commenting using your Facebook account. ( Log Out / Change )
Connecting to %s