For anyone who has used the snare agent - I've been testing snare agent for windows and snare server, and I've gotten the desired security event logs from the agent (- logins and specific file access) to the server. Then BLAM - the quote came in a lot higher than I expected. So I set up a splunk receiver, but the server running the agent doesn't show up as a source in Splunk Search.
Free agent is udp only, so I've tried ports 514 and 6161, and tried source types of both windows_snare_syslog and plain old syslog. I have those ports open in the firewall on the splunk receiver. I've restarted the snare and splunk services.
I know about the universal forwarder, but I'd really rather use the snare agent because it's already set to output only the info that I need.
What am I missing in my setup? Thanks.
... View more