Installation
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Firegen for Snort splunk

gibranduatiga
New Member
‎03-21-2019 04:40 AM

anybody knows how to install & configure Firegen for Snort splunk?
in this case, I have 2 different servers, where Snort is separate from Splunk Server.

scenario

Snort Dedicated server: 192.168.1.89
Splunk Server: 192.168.1.113

in readme.txt file, developers said.. he has a case where Splunk & Snort is on the same server, it's because he used Splunk DB Connect App to get log data from snort DB (MySQL).

So, what I want to ask, can I use a method that is almost the same but different server?

Please.. help me, every help would be appreciated

Splunk Apps: Firegen for Snort
https://splunkbase.splunk.com/app/4118/

alt text

Tags (1)
Preview file
1 KB
0 Karma
Reply

nickhills
Ultra Champion
‎03-21-2019 04:49 AM

Yes, DB Connect does not have to be installed on the same server as the database - in fact it is very much recommended against.

Best practice is to install a dedicated DBX heavy forwarder, which is separate from both the Splunk indexers and your DB servers.

You will need to configure a connection for DBX to connect to the remote server, but this is just the same as any other multi tier application
https://docs.splunk.com/Documentation/DBX/3.1.4/DeployDBX/HowSplunkDBConnectworks

If my comment helps, please give it a thumbs up!
0 Karma
Reply

gibranduatiga
New Member
‎03-21-2019 05:22 AM

so.. you mean, I need 3 servers?

  1. Splunk Server
  2. MySQL Server
  3. DBX Heavy Forwarder

bye the way, to be honest.. poor me, I don't know how to start.. i am stucked. can you teach me step by step?

0 Karma
Reply

nickhills
Ultra Champion
‎03-21-2019 05:29 AM

I assume you already have a MySQL server - perhaps installed on your Snort Server?

'Ideally' you would install DBX on its own dedicated heavy forwarder.
This Forwarder sends its data to the Splunk Indexer.

So yes, that is 3 systems in total, but i assume that the Snort server and Splunk server already exist?

If my comment helps, please give it a thumbs up!
0 Karma
Reply

gibranduatiga
New Member
‎03-21-2019 05:35 AM

Yes, I did it before..
installing MySQL server in my Snort Server is done, and Splunk server is already exist..
so.. now? what i should i do? creating the dedicated heavy forwarder server to install DBX on it? and then.. ?

teach me my master..

0 Karma
Reply
Get Updates on the Splunk Community!

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...