Monitoring Splunk

what should be the best practice to collect data from below sources . any recommendation ?

aab5272
Engager

what should be the best practice to collect data from below sources . any recommendation ?

Domain Controller (Active Directory)
ePO Virus Scan
ePO DLP
FireEye EX
FireEye NX
Check Point Firewall
Check Point Block Country
CheckPoint IPS
HyperVisor
Intrushield
LDAP
DB MSSQL
DB ORACLE
Bluecoat Proxy
Cisco ASA VPN
WAF AKAMAI
Wireless
Autorun

Tags (1)
0 Karma
1 Solution

adonio
Ultra Champion

hello there,
first and foremost, read this articles in docs regarding all the ways to bring data to splunk.
http://docs.splunk.com/Documentation/Splunk/6.6.1/Data/WhatSplunkcanmonitor
then you can look for the best way based on details in the pre-built applications or docs.
there are pre-built apps for most, if not to all data sources you mention here.
all you will need is to use your favorite search engine and write splunk for ...my data source...
also you can go to splunkbase https://splunkbase.splunk.com/ and start looking at the apps and read
with that being said, here is what i got from top of my head and. remember that there are more then one way (most of the times) and also that for some of the data sources you mentioned, DB MSSQL for example, there s the data in the DB and the data the DB generates about itself, like error log or performance etc... which is it that you want? maybe both?
also, consider syslog sever as an aggregation server or direct to splunk indexers via port or through heavy forwarder.
will lean toward syslog in most cases
Domain Controller (Active Directory) - universal forwarder addon of microsoft ad - https://splunkbase.splunk.com/app/3207/
ePO Virus Scan - https://splunkbase.splunk.com/app/3362/
ePO DLP
FireEye EX - https://splunkbase.splunk.com/app/1904/#/details there are many, start with this one and read more
FireEye NX - https://splunkbase.splunk.com/app/1904/#/details
Check Point Firewall - https://splunkbase.splunk.com/apps/#/search/checkpoint/ look here
Check Point Block Country - start with link above
CheckPoint IPS - link above
HyperVisor - MS? https://splunkbase.splunk.com/app/1253/#/overview
Intrushield - splunk add-on for McAfee?
LDAP - https://splunkbase.splunk.com/app/1852/#/details
DB MSSQL - DB Connect for data in DB or related add-on for data about the application itself
DB ORACLE - as above
Bluecoat Proxy - https://splunkbase.splunk.com/apps/#/search/blue/ pick which one, you will probably need the TA regardless
Cisco ASA VPN - https://splunkbase.splunk.com/app/1620/
WAF AKAMAI - https://splunkbase.splunk.com/apps/#/search/akamai/
Wireless
Autorun
As it seems there are many network inputs, consider a syslog server
hope it helps

View solution in original post

0 Karma

aab5272
Engager

Thanks for the quick response
I read the documentation for Microsoft active directory add-on .

I have a concern regarding configuration of Microsoft active directory add-on with UF. In the current environment the servers of DC are Windows server 2008R2 which requires additional add-on for microsoft powershell. Let say if I install UF on the host machine and install these both add -on on each DC , will this provide knowledge objects which can be used by Enterprise security or these add-on are just good enough for Microsoft Exchange or Splunk App for Windows Infrastructure deployment.

Also we are conducting a POC so we don't have any deployment servers to deploy the apps through deployment server.
In such scenario do we have to install the both add-on manually on each server ?

0 Karma

adonio
Ultra Champion

there are specific instructions on how to install.
read here all the way:
http://docs.splunk.com/Documentation/MSApp/1.4.1/MSInfra/ConfigureActiveDirectoryauditpolicy
data will be good for MS Exchange mS Infra and yes also for ES.
you can look at the add-ons details and verify they are CIM compliant
if you dont have deployment server, either install manually or via simple script.
since its a POC, why don't you start with just 1 or 2 severs?
lastly, you replied in a new answer, if the answer above satisfies the question, kindly mark it as answered.
hope it helps

0 Karma

adonio
Ultra Champion

hello there,
first and foremost, read this articles in docs regarding all the ways to bring data to splunk.
http://docs.splunk.com/Documentation/Splunk/6.6.1/Data/WhatSplunkcanmonitor
then you can look for the best way based on details in the pre-built applications or docs.
there are pre-built apps for most, if not to all data sources you mention here.
all you will need is to use your favorite search engine and write splunk for ...my data source...
also you can go to splunkbase https://splunkbase.splunk.com/ and start looking at the apps and read
with that being said, here is what i got from top of my head and. remember that there are more then one way (most of the times) and also that for some of the data sources you mentioned, DB MSSQL for example, there s the data in the DB and the data the DB generates about itself, like error log or performance etc... which is it that you want? maybe both?
also, consider syslog sever as an aggregation server or direct to splunk indexers via port or through heavy forwarder.
will lean toward syslog in most cases
Domain Controller (Active Directory) - universal forwarder addon of microsoft ad - https://splunkbase.splunk.com/app/3207/
ePO Virus Scan - https://splunkbase.splunk.com/app/3362/
ePO DLP
FireEye EX - https://splunkbase.splunk.com/app/1904/#/details there are many, start with this one and read more
FireEye NX - https://splunkbase.splunk.com/app/1904/#/details
Check Point Firewall - https://splunkbase.splunk.com/apps/#/search/checkpoint/ look here
Check Point Block Country - start with link above
CheckPoint IPS - link above
HyperVisor - MS? https://splunkbase.splunk.com/app/1253/#/overview
Intrushield - splunk add-on for McAfee?
LDAP - https://splunkbase.splunk.com/app/1852/#/details
DB MSSQL - DB Connect for data in DB or related add-on for data about the application itself
DB ORACLE - as above
Bluecoat Proxy - https://splunkbase.splunk.com/apps/#/search/blue/ pick which one, you will probably need the TA regardless
Cisco ASA VPN - https://splunkbase.splunk.com/app/1620/
WAF AKAMAI - https://splunkbase.splunk.com/apps/#/search/akamai/
Wireless
Autorun
As it seems there are many network inputs, consider a syslog server
hope it helps

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...