Splunk 4.x and OPSEC

1	Is Splunk 4.x able to eat messages in OPSEC formatted style? Are we able to read it in a human readable form via Splunk Search? app-opseclealinux-splunk asked 02 Feb '10, 14:59 Simon 377●3●2●17 accept rate: 14% edited 27 Jul '10, 22:49 Lionel ♦♦ 834●1●3●13

3 Answers:

oldest newest most voted

Yes. In order to index OPSEC data you will need to have an LEA server and then configure Splunk to fetch the data from there. Instructions and binaries for enabling this can be found on in the Community Wiki. Note this solution is only supported on Linux and Solaris

link

answered 03 Feb '10, 21:04

matt ♦♦
3.5k●12●11●40
accept rate: 81%

Simon -

Have a look at the discussion page on the community wiki as well, there are some potentially helpful caveats there.

link

answered 22 Mar '10, 11:17

treyka
103●5
accept rate: 22%

Also, have a look here: http://answers.splunk.com/questions/947/splunking-my-checkpoint-firewall-logs/

(12 Apr '10, 08:43) treyka

0	Note: If you are installing it on 64-bit Debian linux you will also need the ia32 libs (run 'apt-get install ia32-libs') in addition to the other instructions. link answered 27 Jul '10, 17:36 rforsythe 11●1 accept rate: 0%

Post your answer

toggle preview

Follow this question

Email:

RSS:

Answers

Answers + Comments

Markdown Basics

*italic* or _italic_
**bold** or __bold__
link:[text](http://url.com/ "Title")
image?![alt text](/path/img.jpg "Title")
numbered list: 1. Foo 2. Bar
to add a line break simply add two spaces to where you would like the new line to be.
basic HTML tags are also supported

learn more about Markdown

Tags:

Asked: 02 Feb '10, 14:59

Seen: 971 times

Last updated: 27 Jul '10, 22:49

Splunk 4.x and OPSEC

Follow this question

Splunk Resources

Related questions