Recently I installed SecurityOnion 16.04, and wanted to play with Splunk on top of SecurityOnion (I know it basically has Elastic with Kibana, but I just wanted to use a different tool at the same time.
Setting up Splunk was pretty straight forward, installed it on a second VM running Ubuntu. I then added the Splunk forwarder to SecurityOnion. (7.2.5.1 for both). Another pretty easy install.
Next, I downloaded the TA's (Technology Add-ons) from SplunkBase for Bro and Suricata. Bro setup was easy, just setup Splunk to monitor the bro/current logs, and I was receiving data on Splunk. Suricata was a little different, as I was only getting the Suricata stats.
SecurityOnion uses separate log files, but I from what I understand (correct me if I am wrong) Splunk gets more details in the event data was something like the eve json that is possible with Suricata. So with that, I decided to start up the eve json file (called it suricata.json).
I started to get the majority of my Suricata feeds into Splunk, currently only missing the actual alerts being fired. I will need to go back and look at what is missing in either the monitoring or in the eve json file (suricata.yaml)
It is nice to be able to see the same data in two different SIEM type products, to have the ability to compare search queries and see different visualizations.
Setting up Splunk was pretty straight forward, installed it on a second VM running Ubuntu. I then added the Splunk forwarder to SecurityOnion. (7.2.5.1 for both). Another pretty easy install.
Next, I downloaded the TA's (Technology Add-ons) from SplunkBase for Bro and Suricata. Bro setup was easy, just setup Splunk to monitor the bro/current logs, and I was receiving data on Splunk. Suricata was a little different, as I was only getting the Suricata stats.
SecurityOnion uses separate log files, but I from what I understand (correct me if I am wrong) Splunk gets more details in the event data was something like the eve json that is possible with Suricata. So with that, I decided to start up the eve json file (called it suricata.json).
I started to get the majority of my Suricata feeds into Splunk, currently only missing the actual alerts being fired. I will need to go back and look at what is missing in either the monitoring or in the eve json file (suricata.yaml)
It is nice to be able to see the same data in two different SIEM type products, to have the ability to compare search queries and see different visualizations.
No comments:
Post a Comment