[For Suricata side:]
# cd /etc/suricata/
# cp ./suricata.yaml ./suricata_with_syslog.yaml
# vi ./suricata_with_syslog.yaml
Make sure that the following lines exist:
- syslog:
enabled: yes
identity: "suricata"
facility: local5
level: Info
:wq
# killall -9 suricata
# suricata -c /etc/suricata/suricata_with_syslog.yaml -i wlan0 -D
# vi /etc/rsyslog.conf
Add the following line into the file (P.S.: Among others, 192.168.0.253 refers to the Splunk server, and 888 represents TCP888 port):
*.* @@192.168.0.253:888
:wq
# /etc/init.d/rsyslog restart
[For Splunk side:]
1) Go to "Settings"->"Data Inputs"
2) Go to "TCP"->"Add new"
3) Enter "888"->Click "Next >"
4) "Select Source Type"->"Operating System"->"syslog"-"Review >"
5) "Submit >"
6) "Start Searching"
No comments:
Post a Comment