For anyone who has used the snare agent - I've been testing snare agent for windows and snare server, and I've gotten the desired security event logs from the agent (- logins and specific file access) to the server. Then BLAM - the quote came in a lot higher than I expected. So I set up a splunk receiver, but the server running the agent doesn't show up as a source in Splunk Search.
Free agent is udp only, so I've tried ports 514 and 6161, and tried source types of both windows_snare_syslog and plain old syslog. I have those ports open in the firewall on the splunk receiver. I've restarted the snare and splunk services.
I know about the universal forwarder, but I'd really rather use the snare agent because it's already set to output only the info that I need.
What am I missing in my setup? Thanks.
I would also recommend sending syslog to a receiving host like a unix system. That way you collect using the splunk forwarder and if you ever have multiple indexers it can handle the load balancing. Sending straight syslog to a single indexer keeps you from having that option.
Thanks. Yes, I set a data input for UDP 514. It shows up in netstat, but the state is blank.
I said earlier that my snare agent host isn't showing up as a source, but I meant it isn't showing up as a host.
I have that port open in the firewall, but I just saw that a gpo may be blocking so I'm getting ready to check that.