Possible to use Splunk DB Connect to query the mySQL Database on Onion Sensors?

[Chris Henson]

Doug / Team,

Hi. I hope you all are doing very well. With the disclaimer that ELSA does what I am looking to do already.. and that may be your answer to my question:

Is it possible to use Splunk DB Connect to query the mySQL Database on Onion Sensors?

http://docs.splunk.com/Documentation/DBX/latest/DeployDBX/AboutSplunkDBConnect

We want to use Splunk to integrate Security Data into other data sets that are already in our Enterprise Splunk to create dashboards.

I am happy to blaze a trail and test this myself if you can point me in the direction Documentation for accessing the DBs directly on Security Onion.

with gratitude,

Chris

[Doug Burks]

Hi Chris,

MySQL doesn't listen on the network by default. So depending on how
Splunk DB Connect works, you may have a few different options:

- build an SSH tunnel from the Splunk box to each sensor and forward
the MySQL port across the tunnel
OR
- reconfigure each sensor so that MySQL listens on the network, open
the port in the host-based firewall and allow connections only from
the Splunk host

Another slightly different option might be to query the ELSA API on
the master server, either via https://your.master.server:3154 or via a
scripted SSH session running
/opt/elsa/contrib/securityonion/contrib/cli.sh.

> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.



--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com

[Greg Williams]

We are using the Splunk Forwarder with the Security Onion app. It provides everything we need, but hadn't thought about the DB connect before.

[Chris White]

I think it would help to know what you're after out of the DB. There are usually log options for what you're after that will be cleaner than opening up MySQL to DBConnect.

Personally I syslog-ng out the sguild log off of the Master and the bro logs off the sensors to a central syslog server. From there to Splunk with a Heavy forwarder. One advantage of the log route is near realtime streaming of events. Using DB Connect you have to decide on a polling frequency and a rising column to effectively tail the DB.

As for Sguil state/health information, I would suggest either the universal forwarder or ssh via pub/priv keys to do a scripted input.

If you have more details about what you're after I might have more information for you.

Chris White

[John R]

We want to use lookup tables (essentially a blacklist) to query all of the IPs or domain names seen in the Onions. Using Splunk DB connect we can just query the SecOnion directly and we wouldn't need to import anything into splunk. We are trying to centralize all of the logs in 1 location so its much easier and faster for the analysts to crank out searches. Analysts are unable to import a large number of IPs or Domains into the SecOnion environment to conduct retrospective searches.

[Ronny Vaningh]

another option would be to use the bro intel framework in order to generate notices against your blacklist