The event forwarder is a small utility that consumes Spyderbat events from the API and emits flat files containing events and spydertraces. It optionally forwards the data it collects via syslog or using a webhook.
- Deploys as a systemd service on Linux or into Kubernetes using Helm
- Consumes events and traces from the Spyderbat API
- Writes data to flat files and/or stdout
- Forwards events and traces via syslog or webhook (optional)
- Supports filtering expressions to select events and traces to forward (optional)
- Linux
- x86_64 or arm64 processor
- systemd
Download the latest release.
- Unpack the tarball:
NOTE: The release package filename will differ from the example below.
mkdir /tmp/sef
tar xfz spyderbat-event-forwarder.5b41e00.tgz -C /tmp/sef
- Run the installer:
cd /tmp/sef
sudo ./install.sh
You should see output like this:
spyderbat-event-forwarder is installed!
!!!!!!
Please edit the config file now:
/opt/spyderbat-events/etc/config.yaml
!!!!!!
To start the service, run:
sudo systemctl start spyderbat-event-forwarder.service
To view the service status, run:
sudo journalctl -fu spyderbat-event-forwarder.service
- Edit the config file:
sudo vi /opt/spyderbat-events/etc/config.yaml
- Start the service:
sudo systemctl start spyderbat-event-forwarder.service
- Check the service:
sudo journalctl -fu spyderbat-event-forwarder.service
Use ^C to interrupt the log. If you see errors, check the configuration, restart the service, and check again.
- Enable the service to run at boot time:
sudo systemctl enable spyderbat-event-forwarder.service
- If desired, integrate with the Splunk universal forwarder:
$ sudo splunk add monitor /opt/spyderbat-events/var/log/spyderbat_events.log
Your session is invalid. Please login.
Splunk username: <your splunk username>
Password: <your splunk password>
Added monitor of '/opt/spyderbat-events/var/log/spyderbat_events.log'.