I am trying to find a version of the Linux Splunk forwarder that works with Security Onion - previously in the past Security Onion was a bit fussy with what distro could be used, and since it's been updated in Oct 18, (now using a 64 bit Ubuntu release underneath) 4.15.0-48-generic kernel - I can't get a version of the forwarder to work - if anyone has had any success with the newer Sec Onion, please could you let me know. Ta.
Hi, do you want to install a forwarder on Security Onion server and then send the logs to another Splunk indexer?
may we know if you have checked this app "Security Onion App for Splunk software"
https://splunkbase.splunk.com/app/972/
maybe check this blog:
https://www.elysiumsecurity.com/blog/IDS/post2.html#Splunk