NamHB's Blog
Log central with Snort, Syslog-ng and Splunk ( SSS)

Log central with Snort, Syslog-ng and Splunk ( SSS)

Nam Ha Bach's photo
Nam Ha Bach
·

2 min read

In previous post, i installed snort with barnyard to send log to snort report. Today, i installed addition Base: Snort log analysis:
Download file:

#wget sourceforge.net/projects/adodb/files/latest..

#wget sourceforge.net/projects/secureideas/files/..

#yum --enablerepo=epel -y install php-adodb php-pear-Image-Graph

#unzip adodb517.zip

#tar xvzf base-1.4.5.tar.gz

#cp -R base-1.4.5 /var/www/html/

#mv /var/www/html/base-1.4.5 /var/www/html/base

#cp -R adodb5 /var/www/html/base

#chmod 777 -R /var/www/html/base

Go http:///base and setup, adodb path is /var/www/html/base/adodb5

After complete this tutorial, i started config snort to send log to center log. I am using splunk to Log Central Manager. I used syslog-ng to send snort log to splunk.
Frist, in snort machine, i edited config to force snort write alert to plain text file:

#vim /etc/sysconfig/snortd ( i don`t remmeber path)
Find ALERT and uncomment it, change ALERT=full
Restart snort:

#service snortd restart

#tail -f /var/log/snort/alert
Action to make alert and see alert log.
Next, we will install syslog-ng:

#yum --enablerepo=epel syslog-ng
Edit syslog-ng file:

#vim /etc/syslog-ng/syslog-ng.conf
source s_tail { file("/var/log/snort/alert"
follow_freq(1) flags(no-parse) ) ; };

destination stail2 { tcp("192.168.174.110") ;
};

log {
source(s_tail);
destination(stail2);
flags(flow-control);
};
I used tcp ( port 514)

#service syslog stop

#service syslog-ng start

#chkconfig syslog off

#chkconfig syslog-ng off

Go to splunk machine:
Install splunk: Download from: splunk.com

#rpm -Uvh splunk-4.3.2-123586.i386.rpm
Access webgui, then go to DataInput/ Add TCP port 514:

You can use UDP or TCP ( syslog-ng config)
Restart splunk: /opt/splunk/bin/spunk restart
Install snort app for spunk: Go to App/Manger/Install - search snort
or: splunk-base.splunk.com/apps/22369/splunk-fo..
After install, go to snort for splunk to view
------------------------------------------------------------
Thanks for reading
--------------------------------------------------------------------------
Security Research
All my Lab:
Linux Lab -- window and Cisco Lab
to be continued - I will update more.

Nam Habach