In most cases, you should navigate to /opt/splunkforwarder/etc/system/local and create an nf file if there isn't already one. In my case it's found in /opt/splunkforwarder/etc/apps/TA-Suricata/default, but that's because I'm using the TA-Suricata app to make my Suricata logs Splunk-readable (matching Splunk's Common Information Model ). SSH into your VM/machine with the splunk forwarder installed and modify the nf file.Mine path is /var/log/suricata/suricata_em125470/eve.json and the folder name is suricata_em125470. Note the file path and importantly, the folder name where logs are sent for that instance. Once up and running, go to 'Logs View' and select the instance to view. Go to pfsense web UI, and create & configure the instance that you want to monitor. You can leave all the index settings as default for now. I named mine ids_lan as I am using an Intrusion Detection System (IDS) to monitor my LAN network on pfSense. Steps:Ĭreate the desired index in Splunk (Settings -> Indexes). These can be ignored if just trying to configure a universal forwarder to send data to multiple indexes in Splunk. Note: There are some steps specific to my use case, which are marked accordingly with. Have installed a universal forwarder on the endpoint that you want to monitor (see here, an excellent post which will get you most of the way through setting up Splunk to analyse Suricata & pfSense logs) There are plenty of tuts for this online. Have a working Splunk instance (Splunk Enterprise, in my case) to connect to.
0 kommentar(er)
