Installation

Firegen for Snort splunk

gibranduatiga
New Member

anybody knows how to install & configure Firegen for Snort splunk?
in this case, I have 2 different servers, where Snort is separate from Splunk Server.

scenario

Snort Dedicated server: 192.168.1.89
Splunk Server: 192.168.1.113

in readme.txt file, developers said.. he has a case where Splunk & Snort is on the same server, it's because he used Splunk DB Connect App to get log data from snort DB (MySQL).

So, what I want to ask, can I use a method that is almost the same but different server?

Please.. help me, every help would be appreciated


Splunk Apps: Firegen for Snort
https://splunkbase.splunk.com/app/4118/

alt text

Tags (1)
0 Karma

nickhills
Ultra Champion

Yes, DB Connect does not have to be installed on the same server as the database - in fact it is very much recommended against.

Best practice is to install a dedicated DBX heavy forwarder, which is separate from both the Splunk indexers and your DB servers.

You will need to configure a connection for DBX to connect to the remote server, but this is just the same as any other multi tier application
https://docs.splunk.com/Documentation/DBX/3.1.4/DeployDBX/HowSplunkDBConnectworks

If my comment helps, please give it a thumbs up!
0 Karma

gibranduatiga
New Member

so.. you mean, I need 3 servers?

  1. Splunk Server
  2. MySQL Server
  3. DBX Heavy Forwarder

bye the way, to be honest.. poor me, I don't know how to start.. i am stucked. can you teach me step by step?

0 Karma

nickhills
Ultra Champion

I assume you already have a MySQL server - perhaps installed on your Snort Server?

'Ideally' you would install DBX on its own dedicated heavy forwarder.
This Forwarder sends its data to the Splunk Indexer.

So yes, that is 3 systems in total, but i assume that the Snort server and Splunk server already exist?

If my comment helps, please give it a thumbs up!
0 Karma

gibranduatiga
New Member

Yes, I did it before..
installing MySQL server in my Snort Server is done, and Splunk server is already exist..
so.. now? what i should i do? creating the dedicated heavy forwarder server to install DBX on it? and then.. ?

teach me my master..

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...