Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Are there currently supported methods for ingesting and monitoring Suricata events in Splunk?

opoplawski
Explorer
‎11-17-2022 09:57 AM

Are there currently supported methods for ingesting and monitoring Suricata events in splunk?

Labels (3)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-17-2022 12:16 PM

There is an old TA on splunkbase (https://splunkbase.splunk.com/app/4242).  Perhaps it will help.

If not, there are a few ways to onboard data into Splunk.

Install a universal forwarder on the server to send log files to Splunk
Have the server send syslog data to Splunk via a syslog server or Splunk Connect for Syslog
Use the server's API to extract data for indexing
Use Splunk DB Connect to pull data from the server's SQL database.
Have the application send data directly to Splunk using HTTP Event Collector (HEC).

What you mean by "supported"?  The TA is unsupported.  The onboarding methods are standard in Splunk, but Splunk Support will not help you with them as they are break/fix only.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

opoplawski
Explorer
‎11-17-2022 12:41 PM

I'm suspicious of the old TA for Suricata because it mentions splunk 7.2 and CIM 4.x, but I'll guess I'll test it out.

I guess I'm looking for "useful" more than anything else.  Something that will display the events in a useful way.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-17-2022 01:21 PM

The old TA can be used as a guide to create your own TA that is more up-to-date.

Neither TA will display events as they only help onboard them.  For display purposes, you'll need an app (Search & Reporting should do).

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...