I wanted to do a blog post on deploying the Security Onion for Splunk app in a distributed environment, where Splunk, Security Onion server and Security Onion sensor were all on separate hosts. I found it was easier to just build an add-on and let the README do the blogging. The add-on shouldn’t change or require updating nearly as much as the full app, only requiring updates when new logging is added at the server or sensor, as Bro is want to do at times (thank you very much). All the field extractions and transformations happen on the Splunk server. You can download the add-on here (once approved).
Security Onion Sensor Add On eases the configuration of a multiple Security Onion sensor deployment. Install the Splunk Universal forwarder and untar this app to /opt/splunkforwarder/etc/apps. Edit /opt/splunkforwarder/etc/apps/securityonion_addon/local/inputs.conf to disable specific logs depending on whether you’re indexing from a
server or sensor that is remote to the Splunk indexer.
Install Splunk Universalforwarder:
sudo dpkg -i <filename>
Start Splunk and accept the license
splunk enable boot-start
Configure the universal forwarder to forward to a specific indexer:
splunk add forward-server <host>:<port> -auth <username>:<password>
Default receiver port is 9997. Username is a Splunk administrative user. Optionally, to enable secure Splunk communications the following command can be used to specify a certificate, root CA and password.
splunk add forward-server <host>:<port> -ssl-cert-path /path/ssl.crt -ssl-root-ca-path/path/ca.crt -ssl-password <password>
Download the Security Onion for Splunk Addon and extract the file to the Splunk forwarder apps folder:
sudo tar -C /opt/splunkforwarder/etc/apps -xvf securityonion_addon.tar.gz
Edit the local inputs.conf file depending on your deployment scenariot:
Default config files for the following deployments are included:
Just copy the appropriate file to replace the default inputs.conf (default deployment is server/sensor). For example, if you are installing on a sensor:
sudo cp inputs_sensor.conf inputs.conf
When you’re done, restart the Splunk forwarder:
sudo /opt/splunkforwarder/bin/splunk restart
As long as your indexer is receiving events you should be good to go.