Splunk Enterprise Security

How to integrate ModSecurity events to Splunk Enterprise Security?

Communicator

Hi,

I need to make events I am receiving from a Modsecurity available and formatted for Splunk Enterprise Security. I have a distributed environment.

I know that I have to turn them into CIM, add tags, eventtype, extract fields, and create aliases.

  1. Is it mandatory to create a custom add-on for achieving the goal? If not, which files.conf do I have o change (inside which path)?
  2. Is there any tutorial/example on how to integrate a non natively supported device into Enterprise Security?
  3. The changes (tags, eventtype, extract fields and create aliases) have to be done on the Indexer, Search Head, or both?
  4. Am I missing something else?

Thank you very much.
Regrads.

0 Karma

SplunkTrust
SplunkTrust
  1. It's customary to create a TA for your case. Not technically mandatory, but really - do create a TA. Files to create include props.conf, transforms.conf, eventtypes.conf, tags.conf, possibly lookups, maybe more.
  2. There are some examples in the CIM docs at http://docs.splunk.com/Documentation/CIM/4.4.0/User/UsetheCIMtonormalizeOSSECdata and I believe there have been .conf talks as well, here's one: http://conf.splunk.com/session/2015/recordings/2015-splunk-186.mp4
  3. CIM configurations typically are search-time, those need to be on the search head. Nothing terrible happens if you have them on the indexer as well though.
  4. There is an older app for ModSecurity on splunkbase, but it might not be CIM-compatible: https://splunkbase.splunk.com/app/880/
0 Karma

SplunkTrust
SplunkTrust

If you follow the naming convention TA-foo, ES will automatically load your TA.

Differently named TAs can be imported too, but there really is no need to deviate from the convention. http://docs.splunk.com/Documentation/ES/4.1.0/Install/InstallTechnologyAdd-ons#The_Update_ES_modular...

0 Karma

Communicator

Thanks Martin,

I've created a new directory in $SPLUNKHOME/etc/apps/TA-ltmodsec
I've created a directory $SPLUNK
HOME/etc/apps/TA-ltmodsec/default
and I created a trasforms.conf and a props.conf inside the default folder.

props.conf

[source::udp:10514]
TRANSFORMS-001_rewrite_modsecurity_sourcetype = set_sourcetype_modsecurity
[modsecurity]
EXTRACT-modsec-client = \[client\s(?P[^\]]+)\]
EXTRACT-accion = ^(?:[^\.\n]*\.){6}\d+\] ModSecurity:\s+(?P[^\[]+)\s+\[
EXTRACT-modsec_id = \[id \"(?P[^\"]+)"\]

transforms.conf

[set_sourcetype_modsecurity]
SOURCE_KEY = MetaData:Host
REGEX = (52\.86\.132\.70)
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::modsecurity

That didn't work.
When I move those files to $SPLUNK_HOME/etc/apps/search/local/ it works correctly.
Am I missing something in the addon I've created.

Thank you very much.
Regards.

0 Karma

SplunkTrust
SplunkTrust

There isn't much to miss. Create directory, create .conf file, restart Splunk, done.

0 Karma

Communicator

Hi, Thanks for your reply.

So, after creating a custom TA, does Enterprise Security load it automatically, or I should do something for ES to load the TA?

Are there specifiations when creating the TA such as TA's name and configuration?

Thanks again.

0 Karma

Path Finder

Hi noybin - this might help:

http://docs.splunk.com/Documentation/ES/3.3.3/CreateTA/GenericExample

You don't need to create a TA specifically, you can modify the local props & transforms if you want. And you only need to make changes on the search head.

I usually just put any modifications into the local search app or local ES app. The full path would be something like:

/opt/splunk/etc/apps/search/local
props.conf/tags.conf/transforms.conf /etc.

0 Karma