In these blog posts, I wish I was explaining how do some of these things, but currently, it's more of where I am at in the process as I learn more I will create instructional posts with images.
So I have Zeek and Suricata data being ingested from my Security Onion VM. I originally had the local.conf files for both something like this
[monitor:///nsm/bro/logs/....]
sourcetype:bro
index=bro
[monitor:///nsm/sensor-data/sensor/...]
sourcetype:suricata
index:suricata
But I thought it would be better to break out the sourcetypes based off the logs. From what I am looking at SecurityOnion defaults to log files vice Json format for its log creation(correct me if I am wrong).
So I set it up:
[monitor:///nsm/bro/logs/current/conn.log]
sourcetype:bro_conn
index=bro
[monitor:///nsm/bro/logs/current/dns.log]
sourcetype:bro_dns
index=bro
But the source types showing up in Splunk are (dns-4, tls-11, conn) so it looks like they are just random created, not using the TA's that I have installed for the most part (If anyone can assist that would be great).
Reading over the Splunk documentation maybe it should be sourcetype:bro for all them, and it will append the _conn, _dns, ect.
Still waiting to get the Suricata Emerging Threats to display on Splunk (maybe I am just lucky and I have no ET alerts) but I did add a second monitor of the suricata.log (where I noticed Kibana was pulling the alert information from).
No comments:
Post a Comment