All Apps and Add-ons

getting security onion data into splunk

nwieseler
Path Finder

I have a couple of basic questions:

  1. Is Splunk be a replacement for the built-in ELSA tool for examining SO data?
  2. What is the best method to get the data into Splunk from a SO standalone instance?

Thanks!

Nick

1 Solution

Drainy
Champion

Have you had a look at; http://apps.splunk.com/app/972/ ?

If you read the docs it appears to cover everything you'd need to get the data and analyze it, although I've not had first hand experience using it.

EDIT: This might also help! http://eyeis.net/2012/04/splunking-the-onion/

View solution in original post

Drainy
Champion

Have you had a look at; http://apps.splunk.com/app/972/ ?

If you read the docs it appears to cover everything you'd need to get the data and analyze it, although I've not had first hand experience using it.

EDIT: This might also help! http://eyeis.net/2012/04/splunking-the-onion/

piebob
Motivator

nwieseler, if Drainy answered your question, could you please check the checkmark to accept his answer? thanks 🙂

0 Karma

nwieseler
Path Finder

Yeah that's where I snipped the text in bold above. I had read that before albeit not as carefully as I should have.

I was more concerned on how to get the data to my indexer after the app was installed - didn't even think about a forwarder when I asked the question (my bad) since this is our first Linux box that will forward data (we're a Windows shop) 😉 The answer I think using the forwarder with syslog the other option as you suggest.

Thanks!

Nick

Drainy
Champion

Did you click on the Documentation tab? it has details on how to install and configure the app.
To get your data you could configure syslog to output to a listening port on Splunk and just define a tcp input, but yeah the better and more secure/reliable way would be to just install a forwarder and let it handle everything 🙂 There is a contact link on the app so if you do get stuck it might be worth firing a message off.

0 Karma

nwieseler
Path Finder

I think part of it is I'm still learning Security Onion so the Bro piece didn't stand out but more importantly is this is the first Linux machine I'll be forwarding data from [to Windows based Splunk instances] so it wasn't immediately apparent I should just be using the Linux universal forwarder like I would use on any other Windows box (which I think is the answer to my question).

I had also read the link you posted but it seems to be more of an overview of the app then a configuration guide.

Thanks,

Nick

0 Karma

nwieseler
Path Finder

Yeah I read the notes a couple times but I seemed to have totally blew past the this part:

"Log file data inputs are file specific (as opposed to monitoring the entire /nsm/bro/logs/current/ directory) primarily for granular control over what gets splunked."

Nick

0 Karma
Get Updates on the Splunk Community!

Dashboard Studio Challenge - Learn New Tricks, Showcase Your Skills, and Win Prizes!

Reimagine what you can do with your dashboards. Dashboard Studio is Splunk’s newest dashboard builder to ...

Introducing Edge Processor: Next Gen Data Transformation

We get it - not only can it take a lot of time, money and resources to get data into Splunk, but it also takes ...

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...