Implementing SplunkThis page outlines the implementation of Splunk. The lab is [here]. The following outlines some of the issues that you may find, including making sure you networks are connected correctly. The architecure used within the lab is [allocation] Checking network connectionsThe WAN network connects to VLAN 200, Private connects to VLAN 201 and DMZ connects to VLAN 202. Make sure (using the Edit Settings options on the VM) that Ubuntu connects to VLAN 201, and Windows 2003 and Windows 2008 connect to VLAN 202: Setting up forwarderMake sure you have setup your Splunk forwarder correctly, by selecting the "Customize Options" option, and then get the correct Snort location for the IDS alerts: If you are not receiving your logs in Splunk, try re-installing the forwarder and check the options. Making sure Snort is storing to alert.idsMake sure you know where Snort is logging its alerts to. Have a look for alert.ids and see if it is filling with alerts that you are generating. Snort crashes on IPv6 packetIn logging mode, Snort will crash if it tries to save to an IPv6 name, as the file name it creates in logging mode as a ":" symbol in it. To fix, remove the logging mode and Snort will not save the packets, and save in the log\alert.ids file. snort -dev -i 1 -p -K ascii -c c:\Snort\rules\rule.rules Powering offRemember to power-off your VMs when complete. The Windows servers should retain their static IP adddress. For Ubuntu, the main instance is set for DHCP. If you want a static IP address on your Ubuntu machine, edit your /etc/network/interfaces file (where your network is 192.168.x.0) auto eth0 iface eth0 inet static address 192.168.x.7 netmask 255.255.255.0 network 192.168.x.0 broadcast 192.168.x.255 gateway 192.168.x.254 dns-nameservers 10.200.0.1 |