So SecurityOnion 2.3 does come with Kibana, but I also like Splunk and want to get more experience with Splunk. My plan is to add a Splunk Forwarder to SecurityOnion. I have two paths I can take to accomplish this.
1. Install it on the machine as a normal application
2. Install a Docker Container of the Splunk Forwarder.
I have chosen two, cause one is too easy to complete. Plus this could give me more experience with Docker.
Step 1: docker pull splunk/universalforwarder:latest
Step 2: docker run --name uf --hostname uf -p 9997:9997 -e "SPLUNK_PASSWORD=<PASSWORD>" -e "SPLUNK_START_ARGS=--accept license" -e "SPLUNK_FORWARD_SERVER=XX.XX.XX.XX:9997" -d splunk/universalforwarder:latest
The docker container started, and is still operational, but don't see anything on my main Splunk Server. Also since I have the free version of Splunk, I do not have forwarder management, so can't see in Splunk if it's talking to each other.
I did try docker logs uf which looks like a bunch of ansible scripts, not the splunkd.log which I was looking for.
Next, I went and typed: docker exec -it -u splunk uf /bin/bash to access the container. I viewed the splunkd.log there but did find anything just yet of use.
I need to figure out how to add a folder to watch the docker container (Zeek/Suricata) for now. Might try and add the docker container to the SecurityOnion group of containers (If it benefits anything that is).
No comments:
Post a Comment