Using an MSSP? Want your Splunk Server to send them data?
| Topics: | Homepage |
|---|---|
| Tags: | |
| Share: |
One of our sales reps, Jon Hart (who’s a real security log analysis vet), told me he’s had a lot of customers ask him about using Splunk along with an MSSP service. He asked me to do a quick post about it.
MSSP stands for Managed Security Service Provider. MSSPs outsource your security monitoring function. They usually do this by placing a box onsite in your datacenter. You send it security-relevant logs in real time, usually via syslog. These logs are filtered by the box down to a subset that are relevant to alerting on network intrusions and other security incidents, which are then sent over a VPN to the MSSP. The MSSPs staff security operations centers (SOCs) 24/7 to look at alerts from all of their customers and decide which ones need immediate action.
What MSSPs don’t do is capture 100% of your log data for long term retention, forensics, and reporting - they can’t, since it would be impractical to send that much data over the network from your datacenter to theirs.
You still need to look at your log data yourself everyday for routine troubleshooting, security investigations, electronic discovery requests, etc. - that’s where Splunk comes in. Splunk also gives you real-time distributed input from logfiles, which can be used to capture non-syslog datasources and send them to the MSSP box to be included in their security monitoring.
The trick is to hijack Splunk-2-Splunk data forwarding, which by default sends data from one Splunk Server to other Splunk Servers. You can send it to any host and port, including your MSSP’s onsite box that’s already listening for syslog.
We just put up a documentation topic describing how to do this: How to forward data to non-Splunk systems.
March 13th, 2007 at 2:10 pm
The text at the bottom of your post “How to forward data to non-Splunk systems.” doesn’t appear in my browsers as a URL. Would you please fix that?
October 7th, 2008 at 7:09 pm
Hi!
I want to improve my SQL experience.
I red so many SQL books and would like to
read more about SQL for my work as db2 database manager.
What can you recommend?
Thanks,
Werutz
October 15th, 2008 at 9:45 pm
Реально классное место, мне тут понравилось, правда…
Столько всего занимательного и позновательного, я тут задержусь на долго.
October 19th, 2008 at 2:00 am
Today good day
The interesting name of a site - blogs.splunk.com
I today 5 hours
looked in a network So I have found your site
The interesting site but does not suffice several sections!
However this section is very necessary!
Necessarily I shall advise your site to the friends!
Forgive I is drunk :))
October 23rd, 2008 at 9:02 am
There was this guy see.
He wasn’t very bright and he reached his adult life without ever having learned “the facts”.
Somehow, it gets to be his wedding day.
While he is walking down the isle, his father tugs his sleeve and says,
“Son, when you get to the hotel room…Call me”
Hours later he gets to the hotel room with his beautiful blushing bride and he calls his father,
“Dad, we are the hotel, what do I do?”
“O.K. Son, listen up, take off your clothes and get in the bed, then she should take off her clothes and get in the bed, if not help her. Then either way, ah, call me”
A few moments later…
“Dad we took off our clothes and we are in the bed, what do I do?”
O.K. Son, listen up. Move real close to her and she should move real close to you, and then… Ah, call me.”
A few moments later…
“DAD! WE TOOK OFF OUR CLOTHES, GOT IN THE BED AND MOVED REAL CLOSE, WHAT DO I DO???”
“O.K. Son, Listen up, this is the most important part. Stick the long part of your body into the place where she goes to the bathroom.”
A few moments later…
“Dad, I’ve got my foot in the toilet, what do I do?”
November 1st, 2008 at 3:40 pm
Test message
Sorry me noob…