Getting Data In

Remote snare security logs to splunk

New Member

For anyone who has used the snare agent - I've been testing snare agent for windows and snare server, and I've gotten the desired security event logs from the agent (- logins and specific file access) to the server. Then BLAM - the quote came in a lot higher than I expected. So I set up a splunk receiver, but the server running the agent doesn't show up as a source in Splunk Search.

Free agent is udp only, so I've tried ports 514 and 6161, and tried source types of both windows_snare_syslog and plain old syslog. I have those ports open in the firewall on the splunk receiver. I've restarted the snare and splunk services.

I know about the universal forwarder, but I'd really rather use the snare agent because it's already set to output only the info that I need.

What am I missing in my setup? Thanks.

Tags (3)
0 Karma

SplunkTrust
SplunkTrust

I would also recommend sending syslog to a receiving host like a unix system. That way you collect using the splunk forwarder and if you ever have multiple indexers it can handle the load balancing. Sending straight syslog to a single indexer keeps you from having that option.

0 Karma

Legend

OK, so have you confirmed (using Wireshark or similar) that data is actually arriving on the port?

0 Karma

New Member

No problem with gpo, so I'm still not sure why 514 is getting no action.

0 Karma

New Member

Thanks. Yes, I set a data input for UDP 514. It shows up in netstat, but the state is blank.

I said earlier that my snare agent host isn't showing up as a source, but I meant it isn't showing up as a host.

I have that port open in the firewall, but I just saw that a gpo may be blocking so I'm getting ready to check that.

0 Karma

Legend

Have you created an UDP input on port 514 on the Splunk indexer? Have you checked that you're actually receiving packets on port UDP/514?

0 Karma