All Apps and Add-ons

getting security onion data into splunk

Path Finder

I have a couple of basic questions:

  1. Is Splunk be a replacement for the built-in ELSA tool for examining SO data?
  2. What is the best method to get the data into Splunk from a SO standalone instance?

Thanks!

Nick

1 Solution

Champion

Have you had a look at; http://apps.splunk.com/app/972/ ?

If you read the docs it appears to cover everything you'd need to get the data and analyze it, although I've not had first hand experience using it.

EDIT: This might also help! http://eyeis.net/2012/04/splunking-the-onion/

View solution in original post

Champion

Have you had a look at; http://apps.splunk.com/app/972/ ?

If you read the docs it appears to cover everything you'd need to get the data and analyze it, although I've not had first hand experience using it.

EDIT: This might also help! http://eyeis.net/2012/04/splunking-the-onion/

View solution in original post

Splunk Employee
Splunk Employee

nwieseler, if Drainy answered your question, could you please check the checkmark to accept his answer? thanks 🙂

0 Karma

Path Finder

Yeah that's where I snipped the text in bold above. I had read that before albeit not as carefully as I should have.

I was more concerned on how to get the data to my indexer after the app was installed - didn't even think about a forwarder when I asked the question (my bad) since this is our first Linux box that will forward data (we're a Windows shop) 😉 The answer I think using the forwarder with syslog the other option as you suggest.

Thanks!

Nick

Champion

Did you click on the Documentation tab? it has details on how to install and configure the app.
To get your data you could configure syslog to output to a listening port on Splunk and just define a tcp input, but yeah the better and more secure/reliable way would be to just install a forwarder and let it handle everything 🙂 There is a contact link on the app so if you do get stuck it might be worth firing a message off.

0 Karma

Path Finder

I think part of it is I'm still learning Security Onion so the Bro piece didn't stand out but more importantly is this is the first Linux machine I'll be forwarding data from [to Windows based Splunk instances] so it wasn't immediately apparent I should just be using the Linux universal forwarder like I would use on any other Windows box (which I think is the answer to my question).

I had also read the link you posted but it seems to be more of an overview of the app then a configuration guide.

Thanks,

Nick

0 Karma

Path Finder

Yeah I read the notes a couple times but I seemed to have totally blew past the this part:

"Log file data inputs are file specific (as opposed to monitoring the entire /nsm/bro/logs/current/ directory) primarily for granular control over what gets splunked."

Nick

0 Karma