Snare
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Snare
You can set up Splunk to search your Windows event logs in about 15 minutes.
- First, download Snare Agent from InterSect Alliance and follow the installation instructions.
- Once Snare has been installed, open it and select the menu option Setup -> Audit
- Enter the IP address of your Splunk host as the Snare Server IP. This tells Snare to send events to your Splunk host.
- Check the Enable Syslog Header option. This will hardwire your Snare port number to 514.
- Choose a Facility setting. Any one will work. but you may want to choose one that doesn't conflict with your existing syslog facilities.
- Choose a Priority. If you're not sure which to select, choose Information for now.
- Click Add an Objective. A dialog box will appear.
- Under Identify the high level event to be audited, select Any event(s) to capture all events.
- Check all the checkboxes under Select the Event Type to Capture and Select the Event Logs to Capture From. This will log all available events to your Splunk host. You can always turn some off later.
- Click OK on the Create Objective window.
- Click OK on the Audit Configuration window. A dialog will pop up warning you that 'Many Syslog servers are not designed to cope with the volume of informatiion that can be generated by Snare agents.'
- Click OK. Splunk can handle it!
- Select the menu option Activity -> Apply and Restart Audit.
Snare will now begin sending events to port 514 on your Splunk host via UDP.
Loading Snare Data into Splunk
There are a few different ways to get your Snare logs into Splunk. We recommend a FIFO as the fastest and most dynamic method. Use Splunk's syslogFIFO input module to load the events.
By default your Windows logs will be combined with other syslog events on your Splunk host. You can send the Windows event logs to Splunk through the same FIFO as your syslog events. However, you can take advantage of our correct custom typer to grab tags directly from Microsoft. In order to call this custom typer, you must send your Windows event logs through a separate FIFO to Splunk.
How you configure your FIFO depends on whether you are using syslog or syslog-ng.
External Links
This documentation applies to the following versions of Splunk: 2.1 , 2.2 , 2.2.1 , 2.2.3 , 2.2.6 View the Article History for its revisions.