We have developed a Splunk network security app available at https://splunkbase.splunk.com/app/3603
It receives events generated by the MetaFlows sensors and breaks them down by the following types:
- Multisession Analysis
- High Priority Events
- IDS Events
- Network Logs (3rd party logs sent to the sensors)
- File Transmission Analysis
- User Discovery
- Service Discovery
- Host Discovery
- Mac Discovery
- Suspicious URL Transmission Analysis
- IPS Notifications
- User Rankings
From the app you can either drill down on Splunk itself or jump to the MetaFlows console to gather more forensic information like packet payloads.
You can install the app by using the Splunk application management tools. In order to send event to Splunk you need to add a configuration line in your /nsm/etc/mss.sh startup script of your sensors. The SSL-encrypted syslog messages are sent to the MetaFlows Splunk App through TCP port 3015 (please make sure you sensor can communicate on this port).
It is a early beat version, please let us know how you like it.
Please see more details at https://docs.metaflows.com/Log_Management#Splunk_App
The MetaFlows Team.