chron-mcp 0.1.14 → 0.1.18
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +305 -0
- package/dashboards/logscale/README.md +121 -0
- package/dashboards/sentinel/README.md +123 -0
- package/dashboards/sentinel/ai-tool-usage.kql +7 -0
- package/dashboards/sentinel/daily-active-developers.kql +6 -0
- package/dashboards/sentinel/events-by-type.kql +5 -0
- package/dashboards/sentinel/secrets-alert.kql +7 -0
- package/dashboards/sentinel/secrets-detected.kql +7 -0
- package/dashboards/sentinel/sessions-by-developer.kql +6 -0
- package/dashboards/splunk/README.md +138 -0
- package/dashboards/splunk/ai-tool-usage.spl +3 -0
- package/dashboards/splunk/daily-active-developers.spl +2 -0
- package/dashboards/splunk/events-by-type.spl +2 -0
- package/dashboards/splunk/secrets-alert.spl +3 -0
- package/dashboards/splunk/secrets-detected.spl +4 -0
- package/dashboards/splunk/sessions-by-developer.spl +3 -0
- package/dist/cli/index.js +859 -21
- package/dist/index.js +53628 -52692
- package/package.json +1 -1
- package/skills/chron/SKILL.md +8 -1
- package/skills/chron.skill.md +7 -0
|
@@ -0,0 +1,138 @@
|
|
|
1
|
+
# Chron → Splunk
|
|
2
|
+
|
|
3
|
+
Stream AI session telemetry from developer machines into Splunk via HTTP Event Collector (HEC). Works with Splunk Enterprise, Splunk Cloud, and a local Docker instance for testing.
|
|
4
|
+
|
|
5
|
+
## Quickest way to see it working — Splunk Docker
|
|
6
|
+
|
|
7
|
+
The fastest path to visually verify the integration with no accounts or licenses:
|
|
8
|
+
|
|
9
|
+
```bash
|
|
10
|
+
docker run -d \
|
|
11
|
+
--name splunk-chron \
|
|
12
|
+
--platform linux/amd64 \
|
|
13
|
+
-p 8000:8000 \
|
|
14
|
+
-p 8088:8088 \
|
|
15
|
+
-e SPLUNK_START_ARGS=--accept-license \
|
|
16
|
+
-e SPLUNK_PASSWORD=Admin1234! \
|
|
17
|
+
-e SPLUNK_HEC_TOKEN=chron-test-token \
|
|
18
|
+
splunk/splunk:latest
|
|
19
|
+
```
|
|
20
|
+
|
|
21
|
+
> **Apple Silicon (M1/M2/M3):** The `--platform linux/amd64` flag is required — the Splunk image has no ARM64 manifest. Docker Desktop uses Rosetta 2 to emulate it automatically.
|
|
22
|
+
|
|
23
|
+
Wait ~2 minutes for Splunk to start, then:
|
|
24
|
+
|
|
25
|
+
```bash
|
|
26
|
+
chron connect splunk
|
|
27
|
+
# URL: https://localhost:8088 ← HTTPS (Splunk 9.x uses SSL by default)
|
|
28
|
+
# Token: chron-test-token
|
|
29
|
+
```
|
|
30
|
+
|
|
31
|
+
> Certificate verification is automatically skipped for localhost URLs — no extra flags needed.
|
|
32
|
+
|
|
33
|
+
Add to your MCP config and use your AI tool. Open [http://localhost:8000](http://localhost:8000) (admin / Admin1234!) and search:
|
|
34
|
+
|
|
35
|
+
```
|
|
36
|
+
sourcetype="chron:event"
|
|
37
|
+
```
|
|
38
|
+
|
|
39
|
+
Events appear in real time as you have AI conversations.
|
|
40
|
+
|
|
41
|
+
> Note: The default Docker image auto-creates a HEC token with the value you set in `SPLUNK_HEC_TOKEN`. If events aren't arriving, verify HEC is enabled under **Settings → Data Inputs → HTTP Event Collector**.
|
|
42
|
+
|
|
43
|
+
---
|
|
44
|
+
|
|
45
|
+
## Production setup — Splunk Enterprise or Cloud
|
|
46
|
+
|
|
47
|
+
### Step 1 — Enable HTTP Event Collector
|
|
48
|
+
|
|
49
|
+
**Splunk Enterprise:** Settings → Data Inputs → HTTP Event Collector → Global Settings → Enable
|
|
50
|
+
|
|
51
|
+
**Splunk Cloud:** Settings → Data Inputs → HTTP Event Collector → New Token
|
|
52
|
+
|
|
53
|
+
### Step 2 — Create a HEC token
|
|
54
|
+
|
|
55
|
+
1. Settings → Data Inputs → HTTP Event Collector → New Token
|
|
56
|
+
2. Name: `chron-ingest`
|
|
57
|
+
3. Source type: `chron:event` (create new if prompted)
|
|
58
|
+
4. Index: `main` (or a dedicated `chron` index)
|
|
59
|
+
5. Copy the token value
|
|
60
|
+
|
|
61
|
+
### Step 3 — Connect from the developer machine
|
|
62
|
+
|
|
63
|
+
```bash
|
|
64
|
+
chron connect splunk
|
|
65
|
+
```
|
|
66
|
+
|
|
67
|
+
Enter the HEC base URL and token when prompted. The command sends a test event and confirms before saving.
|
|
68
|
+
|
|
69
|
+
### Step 4 — Add env vars to your MCP client
|
|
70
|
+
|
|
71
|
+
The `connect` command prints the exact block to paste. For Claude Code, add to the `chron` entry in `~/.claude.json`:
|
|
72
|
+
|
|
73
|
+
```json
|
|
74
|
+
{
|
|
75
|
+
"mcpServers": {
|
|
76
|
+
"chron": {
|
|
77
|
+
"type": "stdio",
|
|
78
|
+
"command": "node",
|
|
79
|
+
"args": ["/path/to/dist/index.js"],
|
|
80
|
+
"env": {
|
|
81
|
+
"CHRON_SPLUNK_URL": "https://your-splunk-host:8088",
|
|
82
|
+
"CHRON_SPLUNK_TOKEN": "<your-hec-token>"
|
|
83
|
+
}
|
|
84
|
+
}
|
|
85
|
+
}
|
|
86
|
+
}
|
|
87
|
+
```
|
|
88
|
+
|
|
89
|
+
### Step 5 — Run SPL queries
|
|
90
|
+
|
|
91
|
+
In Splunk → Search & Reporting, run queries from this directory:
|
|
92
|
+
|
|
93
|
+
| File | Use |
|
|
94
|
+
|---|---|
|
|
95
|
+
| `events-by-type.spl` | Time-series — event volume by type |
|
|
96
|
+
| `sessions-by-developer.spl` | Table — sessions per host and AI tool |
|
|
97
|
+
| `secrets-detected.spl` | Table — credential exposures for SOC review |
|
|
98
|
+
| `ai-tool-usage.spl` | Summary — tool adoption breakdown |
|
|
99
|
+
| `daily-active-developers.spl` | Time-series — distinct active machines per day |
|
|
100
|
+
| `secrets-alert.spl` | Alert search — credential exposures (last 1h) |
|
|
101
|
+
|
|
102
|
+
### Step 6 — Set up the credential alert (recommended)
|
|
103
|
+
|
|
104
|
+
1. Search & Reporting → paste `secrets-alert.spl` → Save As → Alert
|
|
105
|
+
2. Schedule: Run every hour
|
|
106
|
+
3. Trigger: Number of results is greater than 0
|
|
107
|
+
4. Action: Send email or create a notable event
|
|
108
|
+
|
|
109
|
+
---
|
|
110
|
+
|
|
111
|
+
## Event schema
|
|
112
|
+
|
|
113
|
+
All events arrive with `sourcetype=chron:event` and these fields:
|
|
114
|
+
|
|
115
|
+
| Field | Present on |
|
|
116
|
+
|---|---|
|
|
117
|
+
| `host` | All events: developer's machine hostname |
|
|
118
|
+
| `source` | All events: `chron-mcp` |
|
|
119
|
+
| `event_type` | All: `session_started`, `message_logged`, `secret_detected` |
|
|
120
|
+
| `session_id_prefix` | All events |
|
|
121
|
+
| `ai_tool` | All events: `claude`, `cursor`, `windsurf`, etc. |
|
|
122
|
+
| `os` | All events: `darwin`, `linux`, `win32` |
|
|
123
|
+
| `chron_version` | All events |
|
|
124
|
+
| `role` | `message_logged` only: `user` or `assistant` |
|
|
125
|
+
| `detection_type` | `secret_detected` only: `api_key`, `aws_key`, `jwt`, etc. |
|
|
126
|
+
| `masked_value` | `secret_detected` only: e.g. `AKIA****F3K2` |
|
|
127
|
+
|
|
128
|
+
**What is never transmitted:** message content, actual secret values, file paths, or any user-typed text.
|
|
129
|
+
|
|
130
|
+
## Env vars
|
|
131
|
+
|
|
132
|
+
| Env var | Description |
|
|
133
|
+
|---|---|
|
|
134
|
+
| `CHRON_SPLUNK_URL` | Splunk HEC base URL, e.g. `https://localhost:8088` or `https://your-host:8088` |
|
|
135
|
+
| `CHRON_SPLUNK_TOKEN` | HEC ingest token |
|
|
136
|
+
| `CHRON_SPLUNK_INSECURE` | Set to `1` to skip TLS certificate verification (local Docker with self-signed cert) |
|
|
137
|
+
|
|
138
|
+
`CHRON_SPLUNK_URL` and `CHRON_SPLUNK_TOKEN` must both be set for events to flow. If unset, the integration is silently disabled.
|