search

rba-community / TA-opnsense

Splunk Add on for OPNsense firewall
https://ta-opnsense.rba.community
Apache License 2.0
1 stars 1 forks source link

Suricata extract suggestion #19

Closed b4b857f6ee closed 4 years ago

b4b857f6ee commented 4 years ago

Hello,

Regarding your suricata extract, why are not just extract it like this ?

[opnsense_suricata_json] REGEX = .suricata[.]:\s(.*) FORMAT = $1 DEST_KEY = _raw

Instead of all your : opnsense_suricata_category,opnsense_suricata_dest_ip,opnsense_suricata_dest_port, etc...

In this case you have the json directly extract. I'm already using it for normal suricata eve.json file.

I just configure it like this :

transforms.conf

image

And

props.conf

image

Looks great :

image

And after you can use my really nice dashboard xD

image

This is my app : https://splunkbase.splunk.com/app/4014/ I'm using by default the index=ids, but i just have to modify 'index=ids' to 'index=ids Or tag=ids'

b4b857f6ee commented 4 years ago

Waou quick request opening :).

I know, in my configuration i'm using the eve.json output instead of the syslog. I guess this is the difference. And i'm sending directly to the splunk, i don't passing through a syslog-ng (even if this is a better solution to log management). However, more case and difference configuration you can handle or document. Better it is :).