Re: [security-onion] Re: How to send logs to splunk
3,850 views
Skip to first unread message
Mark K. Ayler Jr.
Apr 4, 2013, 5:30:24 PM4/4/13
to securit...@googlegroups.com
finally I can help someone here! I'm doing this now...
Download the universal forwarder from splunk. Make sure you get the appropriate one! Install it on your seconion box. It will install to /opt/splunkforwarder/
In your snort.conf file,
make sure you have:
output alert_full: alert.full
Restart Snort to push changes
alert.full will be in your config logdir:/somepath
In your splunk config files,
/opt/splunkforwarder/etc/system/local$ cat inputs.conf
[monitor:///pathto/alert.full]
index = an_indexname_that_makes_since_to_you_on_your_splunkSERVER
followTail = 1
sourcetype = snort_alert_full
/opt/splunkforwarder/etc/system/local$ cat outputs.conf
[tcpout]
defaultGroup=my_indexers
[tcpout:my_indexers]
server=ip.address.of.splunkServer:port_you_are_listening_on
[tcpout-server://ip.address.of.splunkServer:port_you_are_listening_on]
restart your splunk forwarder
/opt/splunkforwarder/bin/splunk restart
I'll keep an eye on this post incase you have problems.
On Thu, Apr 4, 2013 at 8:08 AM, Garanews <gara...@gmail.com> wrote:
Hello,
did you have a look here:
http://splunk-base.splunk.com/apps/45784/security-onion
http://splunk-base.splunk.com/apps/52461/security-onion-serversensor-add-on
Andrea
Il giorno giovedì 4 aprile 2013 16:16:19 UTC+2, jljassos ha scritto:
> Hello,
>
> I have Security Onion running good (I guess) and trying to send logs to splunk (via syslogs for what they had recommended me in the work), that is located in a separate server than Security Onion.
>
> I found some ways like these one: http://layer8problem.blogspot.fr/2009/03/collecting-snort-logs-with-splunk.html
>
> Also I see I can use Barnyard2:
>
> output alert_syslog: LOG_AUTH LOG_ALERT.
>
> However, Im not so sure how I can do it. May you please help me. The Security Onion is the last version and has been recently updated. Is configured in a standalone.
--
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion?hl=en-US.
For more options, visit https://groups.google.com/groups/opt_out.
Mark K Ayler Jr.
CCNA, MCSE, NNCSS, OASIS.
Brad Shoop
Apr 4, 2013, 6:58:06 PM4/4/13
to securit...@googlegroups.com
Mark's instructions will get you the full Snort logs into Splunk. Nice writeup, by the way, Mark. Thanks for sharing.
For the SO for Splunk app I used the sguild.log to avoid adding log volume to the SO sensors and to simplify configuration for the end users. Pros and cons to both methods. The SO for Splunk app will give you Bro logs, OSSEC, PADS, and Snort/Suricata events. How much data your Splunk instance can ingest will likely be the determining factor.
I highly recommend ELSA, personally. The cost is tough to beat and it can handle the massive volumes of data very efficiently. Plus, thanks to Doug, Scott and Martin it's already there with all your data indexed just waiting to be used. =)
Brad
Mark K. Ayler Jr.
Apr 4, 2013, 7:18:39 PM4/4/13
to securit...@googlegroups.com
Brad, thanks for the compliment. You are totally right about sending data to splunk.... you are limited by the license (splunk). And sending all that data is going to be a lot of information. That's why, if you can, ELSA would be ideal. I really wanted to dig into that when I was running SO but didn't make time. Not too late though.
Also, I haven't looked at the SO for splunk app.. I used the splunk for snort app, and it works great (has all the fields you would want).
Brad Shoop
Apr 4, 2013, 7:38:18 PM4/4/13
to securit...@googlegroups.com
Also, I haven't looked at the SO for splunk app.. I used the splunk for snort app, and it works great (has all the fields you would want).
I'm proud to say the same can be said of Bro logs in the SO for Splunk app. =)
Mark K. Ayler Jr.
Apr 5, 2013, 1:34:43 PM4/5/13
to securit...@googlegroups.com
no problem.
On Fri, Apr 5, 2013 at 8:55 AM, jljassos <jlja...@gmail.com> wrote:
Thank you very much for the information. Right now is time to leave the office, but without delay I'll check it out on Monday. Thank you very much to keep an eye in the post.
--
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion?hl=en-US.
For more options, visit https://groups.google.com/groups/opt_out.
Message has been deleted
Message has been deleted
Doug Burks
May 2, 2013, 1:11:11 PM5/2/13
to securit...@googlegroups.com
Hi Zate,
Bro compresses its log files using gzip, so you can get the
uncompressed size of the log files using "gzip -l". A little bash-fu
will give you a nice listing of each day in the /nsm/bro/logs/ archive
and their uncompressed sizes:
cd /nsm/bro/logs/; for i in ????-??-??; do cd $i; echo -n "$i - ";
gzip -l *.log.gz | grep "(totals)" | awk '{print $2}'; cd ..; done
Having said that, keep in mind that ELSA can save you a lot of money
in Splunk licensing costs. If you have any questions about ELSA,
please let us know!
Thanks,
Doug
On Tue, Apr 30, 2013 at 2:08 PM, Zate <zat...@gmail.com> wrote:
> Any way to get an indication of how much data you'd be sending to splunk? To know what size license to look at?
>
> I was considering just putting the Bro logs in there and the splunk alerts.
>
> I know the amount will differ for everyone, what I am after is some commands or ways to look on my install and see how much data I am generating roughly per 24h period that would go into splunk.
http://securityonion.blogspot.com
Bro compresses its log files using gzip, so you can get the
uncompressed size of the log files using "gzip -l". A little bash-fu
will give you a nice listing of each day in the /nsm/bro/logs/ archive
and their uncompressed sizes:
cd /nsm/bro/logs/; for i in ????-??-??; do cd $i; echo -n "$i - ";
gzip -l *.log.gz | grep "(totals)" | awk '{print $2}'; cd ..; done
Having said that, keep in mind that ELSA can save you a lot of money
in Splunk licensing costs. If you have any questions about ELSA,
please let us know!
Thanks,
Doug
On Tue, Apr 30, 2013 at 2:08 PM, Zate <zat...@gmail.com> wrote:
> Any way to get an indication of how much data you'd be sending to splunk? To know what size license to look at?
>
> I was considering just putting the Bro logs in there and the splunk alerts.
>
> I know the amount will differ for everyone, what I am after is some commands or ways to look on my install and see how much data I am generating roughly per 24h period that would go into splunk.
>
> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion?hl=en-US.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
--
Doug Burks
> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion?hl=en-US.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
--
http://securityonion.blogspot.com
Reply all
Reply to author
Forward
0 new messages