All Apps and Add-ons

getting security onion data into splunk

nwieseler
Path Finder

I have a couple of basic questions:

  1. Is Splunk be a replacement for the built-in ELSA tool for examining SO data?
  2. What is the best method to get the data into Splunk from a SO standalone instance?

Thanks!

Nick

1 Solution

Drainy
Champion

Have you had a look at; http://apps.splunk.com/app/972/ ?

If you read the docs it appears to cover everything you'd need to get the data and analyze it, although I've not had first hand experience using it.

EDIT: This might also help! http://eyeis.net/2012/04/splunking-the-onion/

View solution in original post

Drainy
Champion

Have you had a look at; http://apps.splunk.com/app/972/ ?

If you read the docs it appears to cover everything you'd need to get the data and analyze it, although I've not had first hand experience using it.

EDIT: This might also help! http://eyeis.net/2012/04/splunking-the-onion/

piebob
Splunk Employee
Splunk Employee

nwieseler, if Drainy answered your question, could you please check the checkmark to accept his answer? thanks 🙂

0 Karma

nwieseler
Path Finder

Yeah that's where I snipped the text in bold above. I had read that before albeit not as carefully as I should have.

I was more concerned on how to get the data to my indexer after the app was installed - didn't even think about a forwarder when I asked the question (my bad) since this is our first Linux box that will forward data (we're a Windows shop) 😉 The answer I think using the forwarder with syslog the other option as you suggest.

Thanks!

Nick

Drainy
Champion

Did you click on the Documentation tab? it has details on how to install and configure the app.
To get your data you could configure syslog to output to a listening port on Splunk and just define a tcp input, but yeah the better and more secure/reliable way would be to just install a forwarder and let it handle everything 🙂 There is a contact link on the app so if you do get stuck it might be worth firing a message off.

0 Karma

nwieseler
Path Finder

I think part of it is I'm still learning Security Onion so the Bro piece didn't stand out but more importantly is this is the first Linux machine I'll be forwarding data from [to Windows based Splunk instances] so it wasn't immediately apparent I should just be using the Linux universal forwarder like I would use on any other Windows box (which I think is the answer to my question).

I had also read the link you posted but it seems to be more of an overview of the app then a configuration guide.

Thanks,

Nick

0 Karma

nwieseler
Path Finder

Yeah I read the notes a couple times but I seemed to have totally blew past the this part:

"Log file data inputs are file specific (as opposed to monitoring the entire /nsm/bro/logs/current/ directory) primarily for granular control over what gets splunked."

Nick

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...