- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Remote snare security logs to splunk
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Remote snare security logs to splunk
For anyone who has used the snare agent - I've been testing snare agent for windows and snare server, and I've gotten the desired security event logs from the agent (- logins and specific file access) to the server. Then BLAM - the quote came in a lot higher than I expected. So I set up a splunk receiver, but the server running the agent doesn't show up as a source in Splunk Search.
Free agent is udp only, so I've tried ports 514 and 6161, and tried source types of both windows_snare_syslog and plain old syslog. I have those ports open in the firewall on the splunk receiver. I've restarted the snare and splunk services.
I know about the universal forwarder, but I'd really rather use the snare agent because it's already set to output only the info that I need.
What am I missing in my setup? Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would also recommend sending syslog to a receiving host like a unix system. That way you collect using the splunk forwarder and if you ever have multiple indexers it can handle the load balancing. Sending straight syslog to a single indexer keeps you from having that option.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK, so have you confirmed (using Wireshark or similar) that data is actually arriving on the port?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No problem with gpo, so I'm still not sure why 514 is getting no action.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks. Yes, I set a data input for UDP 514. It shows up in netstat, but the state is blank.
I said earlier that my snare agent host isn't showing up as a source, but I meant it isn't showing up as a host.
I have that port open in the firewall, but I just saw that a gpo may be blocking so I'm getting ready to check that.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you created an UDP input on port 514 on the Splunk indexer? Have you checked that you're actually receiving packets on port UDP/514?
Join Us for Splunk University and Get Your Bootcamp Game On!
.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!
Announcing Scheduled Export GA for Dashboard Studio
