Splunk

Forwarding SCS logs to Splunk

General Procedure

To forward logs to Splunk, open Stamus Probe Management and go to:

  1. Appliances

  2. Identify the Stamus Probe you want to activate logs forwarding from

  3. Click the View button on the right of the screen of the selected Stamus Probe

  4. Then, in the left-side action menu, click Edit settings under the Action section

  5. Finally, select the Splunk tab

By default, if Splunk forwarding hasn’t been activated yet, you will only be presented one single option as illustrated by the following screenshot.

Enabling logs forwarding to Splunk


Check the box Send logs to Splunk and further options appears to configure the logs forwarding.

Splunk forwarding options

Note

Once the configuration fits your environment requirements, don’t forget to Apply Changes

Options

Option

Purpose

Splunk hosts

Specify to which Splunk indexer the logs should be forwared to. The format is IP:Port or Hostname:Port such as 10.44.1.123:9997

Splunk alerts index

Specify in which Splunk index should the Stamus/Suricata alerts be sent to such as main

Splunk events index

Specify in which Splunk index should the Stamus events be sent to such as main

Splunk source type

Specifiy how to sourcetype the alerts and events sent to Splunk. If you are using the Stamus App for Splunk, make sure to adjust the sourcetype to suricata

Manage only inputs

prevent SCS from overwriting the output configuration of Splunk in the output.conf file

Send only alerts

If enabled, only SCS alerts (event_type = alerts) will be sent to Splunk. This avoid sending all events types and this drastically reduce the amount of data sent to Splunk

Use SSL client compression

The compressed attribute only matters if you are forwarding without SSL. It determines whether Splunk will or not perform native compression on a per-data chunk (UF, LWF) or per-event (HWF) basis for outgoing data. This must be enabled on both ends for things to work. If you are forwarding with SSL, unless you explicitly set useClientSSLCompression to false, you will automatically benefit from SSL compression over the data stream.

Verify server certificate

If enabled, will perform a verification of both the server certificate CommonName and Alternative Name (see below)

Server certificate CommonName

Set the CommonName to match against the one in the certificate

Server certificate Alternative Name

Set the Alternative Name to match against the one in the certificate

Client SSL key

Upload SSL key

Client SSL certificate

Upload SSL certificate

Enabling encryption with Splunk

To enable encryption for the Splunk connection:

  • Click on Home major menu;

  • Click on Global Appliance Settings -> select tab Splunk;

  • Enable Connect to Splunk with SSL checkbox;

  • Click browse on TLS certificate authority file of Splunk server and upload the CA file of the Splunk server.

On Appliance edition page:

  • Go to Splunk tab

  • Scroll down and upload Key and Certificate files in the Client SSL key and Client SSL certificate fields.

When enabling SSL, do not forget to apply changes to both Stamus Central Server and Probe

Stamus App for Splunk

The Stamus Networks App for Splunk enables threat hunters, incident responders and other security practitioners who use Splunk to tap into the power of Stamus Central Server (SCS) or Suricata to more effectively do their job.

Stamus Networks develops advanced network threat detection and response solutions, including the Stamus Central Server and the open source SELKS.

Stamus Central Server is used by security practitioners worldwide to expose real threats to their critical assets, empower their team’s rapid response, and mitigate their organization’s risk. Its analytics engine that sits atop a unique combination of network traffic analysis (NTA), network intrusion detection (IDS) and organizational context allows users to quickly detect, investigate, and respond to threats and security policy violations.

The Stamus Networks App for Splunk allows Splunk Enterprise users to extract information and insights from both the Stamus Central Server and open source Suricata sensors. It provides dashboards and reports but also a set of commands to interact with Stamus Central Server via its REST API.

Stamus Networks App for Splunk is available on Splunkbase


Stamus Networks App for Splunk

Warning

The Splunk App must be deployed on the Search Head (dashboards) and Splunk Indexers (parsing)

Hint

The installation instructions, especially to integrate Splunk custom commands with SCS, are available on Stamus Networks Github.