Documentation about Corelight's Splunk Apps for Zeek

Hi all,

I would like to install Corelight App For Splunk and TA for Corelight, but there is no documentation about how to accomplish it … All info points to https://www.corelight.com/support/, but there is no docs in there …

Any idea?

Hi Carlos,

As that is a Corelight offering and not something maintained by the Zeek Project or the community, we’d have to refer you to Corelight.

Let me find out who you need to talk to and I’ll make introductions.

Thanks,
~Amber

Assuming you’re doing an install on a standalone Splunk server, you can use my guide here: https://www.ericooi.com/zeekurity-zen-part-iii-how-to-send-zeek-bro-logs-to-splunk/

Thanks Eric. But I have doubt with your setup. For inputs.conf, maybe this configuration is best?

[monitor:///opt/zeek/logs/spool/current]

disabled = 0

sourcetype = zeek:json

whitelist = .log$

instead of to put file by file?

Hi Carlos,

“Best” is subjective. For someone who wants all logs and a short inputs.conf file, your suggestion will work. My example is geared towards the fact that these logs are large and depending on your Splunk license and requirements, you may not actually want to ingest every single log file into your system. Ultimately, you know your environment and needs best which is why I also state in the writeup:

"An example inputs.conf is below but may or may not include the logs you wish to ingest...Modify the index and sourcetype configurations to your needs.”

Hope that helps!
Eric

Seconding the statements of Eric, Splunk costs can get to be expensive extremely quick with Zeek.

My only secondary suggestion is that you ingest individual logs to provide a bit more granularity and control. You might not wish to ingest every log due to the processing and storage costs.

In the past, I’ve tried leveraging Splunk multiple times due to my familiarity. In the end, we’ve built our stack around Elastic.

We were just spending too much time servicing the hammer, instead of building the house.

Yep, definitely agree on the granularity and control. May also help with troubleshooting to split it out like that.

And Elastic is what I’m looking into next. :stuck_out_tongue:

I agree with both of you. But this is a little lab to accomplish some tests using Splunk free version ( I don’t expect more than 500 MiB daily logs :blush:).

On the other side, Elastic is too expensive in maintenance and for me it is not an option in my case. With splunk things just work :blush:

Cool, then that should work. Like I said, your environment and requirements will be unique and to adjust as needed. The entire guide is meant just as a way to help people get started. It’s not meant to be a one size fits all solution.

Hi Carlos,

I reached out to Corelight and below is the response:

Docs and downloads can be found here:
App - https://splunkbase.splunk.com/app/3884/
TA - https://splunkbase.splunk.com/app/3885/

At a very basic level the install guidance is this:

  • For stand alone Splunk instances - install the Corelight App for Splunk ONLY using the Splunk Web UI
  • For distributed instances - installed the Corelight App for Splunk on search head(s) using the Splunk Web UI, install the TA on indexers and/or heavy forwarders using install method of choice (cli, web ui, or deployment server)
    Thanks,

~Amber

Also in the Apps that Amber pointed to in the “Details” tab, there are instructions for install/config.
Though depending on the environment specific instructions around sourcetypes and index names will differ due to local configuration.

-s