Getting Data In

Remote snare security logs to splunk

tprnc
New Member

For anyone who has used the snare agent - I've been testing snare agent for windows and snare server, and I've gotten the desired security event logs from the agent (- logins and specific file access) to the server. Then BLAM - the quote came in a lot higher than I expected. So I set up a splunk receiver, but the server running the agent doesn't show up as a source in Splunk Search.

Free agent is udp only, so I've tried ports 514 and 6161, and tried source types of both windows_snare_syslog and plain old syslog. I have those ports open in the firewall on the splunk receiver. I've restarted the snare and splunk services.

I know about the universal forwarder, but I'd really rather use the snare agent because it's already set to output only the info that I need.

What am I missing in my setup? Thanks.

Tags (3)
0 Karma

starcher
SplunkTrust
SplunkTrust

I would also recommend sending syslog to a receiving host like a unix system. That way you collect using the splunk forwarder and if you ever have multiple indexers it can handle the load balancing. Sending straight syslog to a single indexer keeps you from having that option.

0 Karma

Ayn
Legend

OK, so have you confirmed (using Wireshark or similar) that data is actually arriving on the port?

0 Karma

tprnc
New Member

No problem with gpo, so I'm still not sure why 514 is getting no action.

0 Karma

tprnc
New Member

Thanks. Yes, I set a data input for UDP 514. It shows up in netstat, but the state is blank.

I said earlier that my snare agent host isn't showing up as a source, but I meant it isn't showing up as a host.

I have that port open in the firewall, but I just saw that a gpo may be blocking so I'm getting ready to check that.

0 Karma

Ayn
Legend

Have you created an UDP input on port 514 on the Splunk indexer? Have you checked that you're actually receiving packets on port UDP/514?

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...