Distributed SO - Zeek forwarding from SO to Splunk recommendations? #10775
Replies: 1 comment
-
|
You can certainly use Logstash to forward to Splunk, you can also use a Splunk Universal Forwarder on the sensors to send the logs to Splunk. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
So I'm currently working with a Distributed deployment with a manager, search node and 5 sensors. only thing is that Elastic is on a go slow (only so much hardware the higher ups can allocate to SO atm) however we have an existing splunk instance running with a LOOOOT of hardware. All i want is to send the Zeek logs from SO to my Splunk server (i dont have permission to set up a separate zeek server so i gotta use SO's).
Now transforms and mutation i can sort myself but anyone got any ideas for best approach to forwarding the zeek logs to the splunk instance? (for context the search node and manager are on the same "tooling" subnet as splunk). All other aspects and services of SO like PCAPs, Hunt, Grafana, Docker, Wazuh work fine, its only the SIEM thats slow atm.
searched already, found this discussion:
#10536
but would still like to know if any SO or Splunk gurus have a better alternative way before I amend some pipelines
Beta Was this translation helpful? Give feedback.
All reactions