Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Remote snare security logs to splunk

tprnc
New Member
‎01-31-2013 10:50 AM

For anyone who has used the snare agent - I've been testing snare agent for windows and snare server, and I've gotten the desired security event logs from the agent (- logins and specific file access) to the server. Then BLAM - the quote came in a lot higher than I expected. So I set up a splunk receiver, but the server running the agent doesn't show up as a source in Splunk Search.

Free agent is udp only, so I've tried ports 514 and 6161, and tried source types of both windows_snare_syslog and plain old syslog. I have those ports open in the firewall on the splunk receiver. I've restarted the snare and splunk services.

I know about the universal forwarder, but I'd really rather use the snare agent because it's already set to output only the info that I need.

What am I missing in my setup? Thanks.

Tags (3)
0 Karma
Reply

starcher
Influencer
‎02-07-2013 10:15 AM

I would also recommend sending syslog to a receiving host like a unix system. That way you collect using the splunk forwarder and if you ever have multiple indexers it can handle the load balancing. Sending straight syslog to a single indexer keeps you from having that option.

0 Karma
Reply

Ayn
Legend
‎01-31-2013 01:19 PM

OK, so have you confirmed (using Wireshark or similar) that data is actually arriving on the port?

0 Karma
Reply

tprnc
New Member
‎01-31-2013 01:18 PM

No problem with gpo, so I'm still not sure why 514 is getting no action.

0 Karma
Reply

tprnc
New Member
‎01-31-2013 12:50 PM

Thanks. Yes, I set a data input for UDP 514. It shows up in netstat, but the state is blank.

I said earlier that my snare agent host isn't showing up as a source, but I meant it isn't showing up as a host.

I have that port open in the firewall, but I just saw that a gpo may be blocking so I'm getting ready to check that.

0 Karma
Reply

Ayn
Legend
‎01-31-2013 11:29 AM

Have you created an UDP input on port 514 on the Splunk indexer? Have you checked that you're actually receiving packets on port UDP/514?

0 Karma
Reply
Get Updates on the Splunk Community!

New Year, New Changes for Splunk Certifications

As we embrace a new year, we’re making a small but important update to the Splunk Certification ...

[Puzzles] Solve, Learn, Repeat: Unmerging HTML Tables

[Puzzles] Solve, Learn, Repeat: Unmerging HTML TablesFor a previous puzzle, I needed some sample data, and ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...