anybody knows how to install & configure Firegen for Snort splunk?
in this case, I have 2 different servers, where Snort is separate from Splunk Server.
scenario
Snort Dedicated server: 192.168.1.89
Splunk Server: 192.168.1.113
in readme.txt file, developers said.. he has a case where Splunk & Snort is on the same server, it's because he used Splunk DB Connect App to get log data from snort DB (MySQL).
So, what I want to ask, can I use a method that is almost the same but different server?
Please.. help me, every help would be appreciated
https://splunkbase.splunk.com/app/4118/
Yes, DB Connect does not have to be installed on the same server as the database - in fact it is very much recommended against.
Best practice is to install a dedicated DBX heavy forwarder, which is separate from both the Splunk indexers and your DB servers.
You will need to configure a connection for DBX to connect to the remote server, but this is just the same as any other multi tier application
https://docs.splunk.com/Documentation/DBX/3.1.4/DeployDBX/HowSplunkDBConnectworks
so.. you mean, I need 3 servers?
bye the way, to be honest.. poor me, I don't know how to start.. i am stucked. can you teach me step by step?
I assume you already have a MySQL server - perhaps installed on your Snort Server?
'Ideally' you would install DBX on its own dedicated heavy forwarder.
This Forwarder sends its data to the Splunk Indexer.
So yes, that is 3 systems in total, but i assume that the Snort server and Splunk server already exist?
Yes, I did it before..
installing MySQL server in my Snort Server is done, and Splunk server is already exist..
so.. now? what i should i do? creating the dedicated heavy forwarder server to install DBX on it? and then.. ?
teach me my master..