anybody knows how to install & configure Firegen for Snort splunk?
in this case, I have 2 different servers, where Snort is separate from Splunk Server.
Snort Dedicated server: 192.168.1.89
Splunk Server: 192.168.1.113
in readme.txt file, developers said.. he has a case where Splunk & Snort is on the same server, it's because he used Splunk DB Connect App to get log data from snort DB (MySQL).
So, what I want to ask, can I use a method that is almost the same but different server?
Please.. help me, every help would be appreciated
Yes, DB Connect does not have to be installed on the same server as the database - in fact it is very much recommended against.
Best practice is to install a dedicated DBX heavy forwarder, which is separate from both the Splunk indexers and your DB servers.
You will need to configure a connection for DBX to connect to the remote server, but this is just the same as any other multi tier application
so.. you mean, I need 3 servers?
bye the way, to be honest.. poor me, I don't know how to start.. i am stucked. can you teach me step by step?
I assume you already have a MySQL server - perhaps installed on your Snort Server?
'Ideally' you would install DBX on its own dedicated heavy forwarder.
This Forwarder sends its data to the Splunk Indexer.
So yes, that is 3 systems in total, but i assume that the Snort server and Splunk server already exist?
Yes, I did it before..
installing MySQL server in my Snort Server is done, and Splunk server is already exist..
so.. now? what i should i do? creating the dedicated heavy forwarder server to install DBX on it? and then.. ?
teach me my master..