All Apps and Add-ons

splunk for snort read data from Mysql instead from log file

tbaror
New Member

would it be possible to read directly from Mysql schema instead of snort log file , since i have few sensors logging into Splunk machine Mysql db?

Thanks

Tags (1)
0 Karma

Ayn
Legend

This is not supported at this time, and likely won't be anytime soon either.

The idea of the Splunk for Snort app is to operate on Snort log data within Splunk's index. Having it operate on data in an external SQL database would require a scripted input that first reads it out of the database, transforms it into some text format (for instance one of the formats already supported by the app) and then feeds it into Splunk. This is a somewhat backwards way of doing things, and there are a bunch of other tools that can operate directly on an SQL database containing Snort events instead, like for instance Snorby, Aanval (I think?), BASE/ACID/SnortCenter, and others.

That said, I don't have anything against the idea itself so if someone were to add this functionality to the app I wouldn't mind including it in the "official" package.

0 Karma
Get Updates on the Splunk Community!

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...