Output Plugins

This document outlines how to send flow and hunt results from GRR to other systems and formats for further analysis.

Every GRR installation supports many Output Plugins by default to save flow/hunt results in different formats or send the results to other systems.

Splunk

GRR can send flow results as Events to Splunk’s HTTP Event Collector. To set this up, add a new HTTP Event Collector in Splunk’s Data Input Settings. Events automatically get grr as default source and grr_flow_result as default sourcetype unless you override this in Splunk’s or GRR’s configuration.

Configure GRR to send data to your Splunk instance by specifying the following values in your server configuration YAML file. url refers to the absolute API URL of your Splunk installation, including scheme and port. token is the generated access token from the Splunk HEC settings. More configuration options, including how to deal with Splunk Cloud’s self-signed certificates are found in config/output_plugins.py.

Splunk.url: https://input-prd-p-123456788901.cloud.splunk.com:8088
Splunk.token: 97e96c19-9bf1-4618-a079-37c567b577dc

After restarting your server, you can send flow and hunt results to Splunk, by enabling SplunkOutputPlugin when launching a flow/hunt. Here’s an example event that will be sent to Splunk, where the analyst set incident-123 as annotation for the flow.

{
    "annotations": ["incident-123"],
    "client": {
      "hostname": "max.example.com",
      "os": "Linux",
      "usernames": "max",
      // ...
    },
    "flow": {
      "name": "ClientFileFinder",
      "creator": "sherlock",
      "flowId": "23B01B77",
      // ...
    },
    "resultType": "FileFinderResult",
    "result": {
      "statEntry": {
        "stMode": "33261",
        "stSize": "1444",
        "pathspec": {
          "path": "/home/max/Downloads/rickmortyseason6earlyaccess.sh",
          // ...
        },
        // ...
      }
    }
  }

BigQuery

Our blog contains a post explaining how to setup and use BigQuery.