Installation

Firegen for Snort splunk

gibranduatiga
New Member

anybody knows how to install & configure Firegen for Snort splunk?
in this case, I have 2 different servers, where Snort is separate from Splunk Server.

scenario

Snort Dedicated server: 192.168.1.89
Splunk Server: 192.168.1.113

in readme.txt file, developers said.. he has a case where Splunk & Snort is on the same server, it's because he used Splunk DB Connect App to get log data from snort DB (MySQL).

So, what I want to ask, can I use a method that is almost the same but different server?

Please.. help me, every help would be appreciated


Splunk Apps: Firegen for Snort
https://splunkbase.splunk.com/app/4118/

alt text

Tags (1)
0 Karma

nickhills
Ultra Champion

Yes, DB Connect does not have to be installed on the same server as the database - in fact it is very much recommended against.

Best practice is to install a dedicated DBX heavy forwarder, which is separate from both the Splunk indexers and your DB servers.

You will need to configure a connection for DBX to connect to the remote server, but this is just the same as any other multi tier application
https://docs.splunk.com/Documentation/DBX/3.1.4/DeployDBX/HowSplunkDBConnectworks

If my comment helps, please give it a thumbs up!
0 Karma

gibranduatiga
New Member

so.. you mean, I need 3 servers?

  1. Splunk Server
  2. MySQL Server
  3. DBX Heavy Forwarder

bye the way, to be honest.. poor me, I don't know how to start.. i am stucked. can you teach me step by step?

0 Karma

nickhills
Ultra Champion

I assume you already have a MySQL server - perhaps installed on your Snort Server?

'Ideally' you would install DBX on its own dedicated heavy forwarder.
This Forwarder sends its data to the Splunk Indexer.

So yes, that is 3 systems in total, but i assume that the Snort server and Splunk server already exist?

If my comment helps, please give it a thumbs up!
0 Karma

gibranduatiga
New Member

Yes, I did it before..
installing MySQL server in my Snort Server is done, and Splunk server is already exist..
so.. now? what i should i do? creating the dedicated heavy forwarder server to install DBX on it? and then.. ?

teach me my master..

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...