Log central with Snort, Syslog-ng and Splunk ( SSS)

In previous post, i installed snort with barnyard to send log to snort report. Today, i installed addition Base: Snort log analysis:
Download file:
#wget http://sourceforge.net/projects/adodb/files/latest/download?source=files
#wget http://sourceforge.net/projects/secureideas/files/latest/download?source=files
#yum --enablerepo=epel -y install php-adodb php-pear-Image-Graph

#unzip adodb517.zip
#tar xvzf base-1.4.5.tar.gz
#cp -R base-1.4.5 /var/www/html/
#mv  /var/www/html/base-1.4.5  /var/www/html/base
#cp -R adodb5 /var/www/html/base
#chmod 777 -R /var/www/html/base

Go http:///base and setup, adodb path is /var/www/html/base/adodb5

After complete this tutorial, i started config snort to send log to center log. I am using splunk to Log Central Manager. I used syslog-ng to send snort log to splunk.
Frist, in snort machine, i edited config to force snort write alert to plain text file:
#vim /etc/sysconfig/snortd ( i don`t remmeber path)
Find ALERT and uncomment it, change ALERT=full
Restart snort:
#service snortd restart
#tail -f /var/log/snort/alert
Action to make alert and see alert log.
Next, we will install syslog-ng:
#yum --enablerepo=epel syslog-ng
Edit syslog-ng file:
#vim  /etc/syslog-ng/syslog-ng.conf
source s_tail { file("/var/log/snort/alert"
                    follow_freq(1) flags(no-parse) ) ; };

destination stail2 {  tcp("") ;

log {

I used tcp ( port 514)
#service syslog stop
#service syslog-ng start
#chkconfig syslog off
#chkconfig syslog-ng off

Go to splunk machine:
Install splunk: Download from: http://www.splunk.com/
#rpm -Uvh splunk-4.3.2-123586.i386.rpm
Access webgui, then go to DataInput/ Add TCP port 514:

You can use UDP or TCP ( syslog-ng config)
Restart splunk: /opt/splunk/bin/spunk restart
Install snort app for spunk: Go to App/Manger/Install - search snort
or: http://splunk-base.splunk.com/apps/22369/splunk-for-snort-splunk-4x
After install, go to snort for splunk to view
Thanks for reading
Security Research
All my Lab:
Linux Lab -- window and Cisco Lab
to be continued - I will update more.


Popular posts from this blog

Python - Multithread to read one file

Install Xposed Inspector and Frida on Genymotion

OpenCA tutorial