Security Onion/Splunk

[Jason Canup]

I recently discovered Security Onion and have been trying to get it installed and forwarding data to Splunk, but I am running into issues with the Splunk app.
The issue is the lack of data being forwarded to Splunk. I do get a ton of Bro logs, but I'm pretty sure that's only because I manually added them in the Splunk forwarder by running this command:

/opt/splunkforwarder/bin/splunk add monitor /path/to/app/logs/ -index main -sourcetype %app%

Other than that, nothing is being forwarded.

A little insight to my setup:

SO is the most recent version running as standalone. The Splunk server is a Server 2008 R2 machine and Splunk is running the trial version. Splunk has all required apps to work with SO.

I have installed and configured the Universal forwarder on the SO server as well as installed the app on the SO server from here:

http://apps.splunk.com/app/1095/

And followed the install directions here:

http://eyeis.net/2012/07/announcing-security-onion-for-splunk-serversensor-add-on/

But nothing but the Bro logs are being forwarded. Did I miss something?

Thank you in advance for your time...

[Greg Williams]

What does this file look like?

/opt/splunkforwarder/etc/apps/securityonion_addon/default/inputs.conf

You should see a lot more bro lines than this, but these are 2 of them as an example:

[monitor:///nsm/bro/logs/current/conn.log]
disabled = 0
followTail = 0
sourcetype = bro_conn

[monitor:///nsm/bro/logs/current/dns.log]
disabled = 0
followTail = 0
sourcetype = bro_dns

[Greg Williams]

Just more information, this file is what makes or breaks your forwarding of SO data to the Splunk server, so make sure everything in here is correct since you have already stated that data is being transferred successfully from the forwarder to the splunk server.

/opt/splunkforwarder/etc/apps/securityonion_addon/default/inputs.conf

[Jason Canup]

Hi Greg,

Thanks for your response. Here is a snippet of what my inputs.conf looks like:

[monitor:///nsm/bro/logs/current/communication.log]
disabled = 1
followTail = 0
sourcetype = bro_communication

[monitor:///nsm/bro/logs/current/conn.log]
disabled = 0
followTail = 0
sourcetype = bro_conn

[monitor:///nsm/bro/logs/current/dns.log]
disabled = 0
followTail = 0
sourcetype = bro_dns

[monitor:///nsm/bro/logs/current/dpd.log]

disabled = 0
followTail = 0

sourcetype = bro_dpd

[monitor:///nsm/bro/logs/current/ftp.log]

disabled = 0
followTail = 0

sourcetype = bro_ftp

[monitor:///nsm/bro/logs/current/http*.log]

disabled = 0
followTail = 0

sourcetype = bro_http

It all looks correct, however, when I browsed out to /nsm/bro/logs/current to find if those log files were actually present, they weren't. The only log files in the "current" directory were communication, reporter, stderr and stdout.

Any ideas why those would be missing?

[Greg Williams]

Did you reconfigure any Bro configs? You should see a whole lot of stuff in there like dns.log, http.log, ftp.log etc. Check "/opt/bro/bin/broctl scripts" and see if it's actually loading the bro scripts correctly. You should see dns, http, ftp, bro configs.

[Jason Canup]

On Monday, April 21, 2014 9:34:54 AM UTC-4, Jason Canup wrote:

What I found to be the fix was running broctl install followed by broctl restart. The logs magically appeared when I did that. Not sure if that is something I missed while setting up SO, or if it happened because of another reason.

So, data is flowing to Splunk...for the most part. Bro logs seem complete with the exception of the http.log. I've checked inputs.conf and it was pointing to /nsm/bro/logs/current/http*.log which certainly should work, but it wasnt pushing any data. So, I renamed it to be the exact name of the http_eth1.log and still no luck...