icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

We are working on something new...

A Fresh New Splunkbase
We are designing a New Splunkbase to improve search and discoverability of apps. Check out our new and improved features like Categories and Collections. New Splunkbase is currently in preview mode, as it is under active development. We welcome you to navigate New Splunkbase and give us feedback.
Log4Shell Vulnerability: Information and guidance for you. Get resources.

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading Security Onion App for Splunk software
SHA256 checksum (security-onion-app-for-splunk-software_20.tgz) 422177be86dce84e5fee92140b086f366e8a06aa7eb63e07f169d3938027fa40 SHA256 checksum (security-onion-app-for-splunk-software_117.tgz) 8a071fb3b85e02e277fcc0d27d5d6b07d80a4cc4d8dd7bb34cc89dae36720047 SHA256 checksum (security-onion-app-for-splunk-software_116.tgz) abf009904b0b6b104bf4e13c58d7607016052af2765af950e2367847bfcaac6c SHA256 checksum (security-onion-app-for-splunk-software_115.tgz) ba3a7eaaa7ee67c3f9552ab10f10d1441c0e89f669818bb7e506c82cedb863db SHA256 checksum (security-onion-app-for-splunk-software_114.tgz) 2d1c869c2ae69f8d73c0c4b51e4fcb0208ca646ed94473f3f14aed067542afec SHA256 checksum (security-onion-app-for-splunk-software_113.tgz) 62e4ddd270e6af66e05420391d063516d0c15f266c00a9e57497906c195e8b6c SHA256 checksum (security-onion-app-for-splunk-software_112.tgz) 1ec11962d56be2967a18a0eed9830de7c6128aa1aa9ea0ceca3bd55c7b0d000e SHA256 checksum (security-onion-app-for-splunk-software_111.tgz) 75abeade1b50b041b3b9cefe1356bf0bbcfc60b0bda597521c18f64f2b39d620 SHA256 checksum (security-onion-app-for-splunk-software_11.tgz) a33f8455d27cdd439926a34668a55068a9d8872b0a5631929354b525b4ab5f51 SHA256 checksum (security-onion-app-for-splunk-software_10.tgz) 0bfbb4288d691de1ebbb297f8d7bdb57e2a1bcd862121b17521eb63e94cd2fb8 SHA256 checksum (security-onion-app-for-splunk-software_09.tgz) d06a455ef64a64c57f9dd3c3f03445d1ecbc58354bd935a3b56e706069cc9ff6 SHA256 checksum (security-onion-app-for-splunk-software_08.tgz) b2899a7f12849dd73db6c1fd1270a1a3b820dce66219bc086eaa2dcab8b14fb1 SHA256 checksum (security-onion-app-for-splunk-software_07.tgz) 061952da1109290236852c898ca5c15acadc586de7bf04427007d920e476184a SHA256 checksum (security-onion-app-for-splunk-software_06.tgz) b3d0b69c1e546e484c496122d94e518e78443618c959c86ae8283581a9763295 SHA256 checksum (security-onion-app-for-splunk-software_05.tgz) 4a063212cbe3410dcf7bcbf76bdd8d1e51c6d4226b90e40fd26f55fc5f56ff30
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate


Security Onion App for Splunk software

This app has been archived. Learn more about app archiving.
This app is NOT supported by Splunk. Please read about what that means for you here.
Security Onion (http://securityonion.blogspot.com/) is a Linux distribution for intrusion detection and network security monitoring. Security Onion App for Splunk software is designed to run on a Security Onion server, providing an alternative method for correlating events and incorporating field extractions and reporting for Sguil, Bro IDS and OSSEC.

Security Onion:

Security Onion (http://securityonion.blogspot.com/) is a Linux distribution for intrusion detection and network security monitoring. Security Onion for Splunk is designed to run on a Security Onion server, providing an alternative method for correlating events and incorporating field extractions and reporting for Sguil, Bro IDS and OSSEC. (For a detailed description of the application with screenshots: http://eyeis.net/2012/04/splunking-the-onion/.)


Splunk for Security Onion provides several dashboards and search interfaces for correlating Sguil, OSSEC and Bro IDS log events.

Required Splunk Apps:


A Security Onion server and a Splunk 5.x installation. (Note: when installing Splunk on a Security Onion system there will likely be a port conflict for the Splunk web server. Port 81 as an alternate port should be a safe alternative.)

Setup Splunk:

Download from www.splunk.com. Install via terminal command:
sudo dpkg -i splunk-5.*.deb

When install completes, we need to start Splunk for the first time:
cd /opt/splunk/bin
sudo ./splunk start

After accepting the agreement, you'll have to pick an alternate port for the Splunk web interface since the default is in use. You'll see the following and when prompted to change, choose yes, then specify port 81:

Checking prerequisites...  
Checking http port [8000](http://splunkbase.splunk.com/wiki/8000): already bound  
ERROR: The http port [8000](http://splunkbase.splunk.com/wiki/8000) is already bound. Splunk needs to use this port.  
Would you like to change ports? [y/n](http://splunkbase.splunk.com/wiki/y:n): y  
Enter a new http port: 81  
Setting http to port: 81  
Checking http port [81](http://splunkbase.splunk.com/wiki/81): open  
Checking mgmt port [8089](http://splunkbase.splunk.com/wiki/8089): open  
Checking configuration... Done.

Splunk's built-in way to run at boot time is (as root): $SPLUNK_HOME/bin/splunk enable boot-start with an optional user=foo at the end to run as a certain user. It installs proper boot scripts for your OS so you don't need to worry about editing /etc/rc.* files:
/opt/splunk/bin/splunk enable boot-start

Install Required Splunkbase Apps:

Open Firefox and browse to http://localhost:81 (or if you used an alternate port change accordingly). Change your password, then click App > Find More Apps from the menu in the upper right corner. Find the following apps and install them.

  • Install Splunk for OSSEC - Splunk v4 version
  • Install Geo Location Lookup Script (powered by MAXMIND)
  • Install Google MapsInstall Splunk Visualizations
  • Install Sideview Utils
  • Install Security Onion for Splunk

Configure Bro IDS Inputs:

Depending on how much traffic your sensor monitors, you may need to leave some of the Bro inputs disabled to avoid maxing out your license. The following are the sourcetypes configured for each Bro IDS log data input:

  • bro_communication - Bro sensor communications
  • bro_conn - Connections
  • bro_dns - DNS requests
  • bro_dpd - Dynamic Protocol Detection
  • bro_ftp - FTP activity
  • bro_http - HTTP traffic
  • bro_irc - IRC activity
  • bro_known_certs - Certificates seen
  • bro_known_hosts - Hosts seen
  • bro_known_services - Services detected
  • bro_notice - You definitely want this one enabled
  • bro_smtp - SMTP activity
  • bro_smtp_entities - SMTP
  • bro_software - Software versions detected (incl. vulnerable versions)
  • bro_ssh - SSH activity
  • bro_ssl - SSL activity
  • bro_syslog - Syslog activity
  • bro_weird - Anomalous events

Using Splunk for Security Onion:

I've standardized the source and destination IP fields in the Bro IDS and Sguil log field extractions so "src_ip" and "dest_ip" are consistent across events.

Log file data inputs are file specific (as opposed to monitoring the entire /nsm/bro/logs/current/ directory) primarily for granular control over what gets splunked. Depending on your licensing you may need to scale back certain logs and this provides an easy way to do so.

SOstat Monitoring:

The SOstat monitoring scripts are configured to run at various intervals (in seconds). The default settings are very conservative,
executing most scripts once a day and status scripts 3 times a day. The default configuration is:

Sourcetype - Script - Interval (seconds)

  • sostat_disk - /opt/splunk/etc/apps/securityonion/bin/disk.sh - 86400
  • sostat_ifconfig - /opt/splunk/etc/apps/securityonion/bin/ifconfig.sh - 86400
  • sostat_nsm_log_archive - /opt/splunk/etc/apps/securityonion/bin/nsm_log_archive.sh - 86400
  • sostat_nsm_sensor_ps-status - /opt/splunk/etc/apps/securityonion/bin/nsm_sensor_ps-status.sh - 21600
  • sostat_nsm_server_ps-status - /opt/splunk/etc/apps/securityonion/bin/nsm_server_ps-status.sh - 21600
  • sostat_nsm_sguil_uncategorized - /opt/splunk/etc/apps/securityonion/bin/nsm_sguil_uncategorized.sh - 86400
  • sostat_top - /opt/splunk/etc/apps/securityonion/bin/top.sh - 21600

The default settings can be modified via Splunk Manager > Data Inputs > Scripts. Click on the script name in the "Command" column to increase/decrease the interval. You can also disable/enable scripts.

Comments or Questions:

For comments, suggestions or questions, feel free to drop me an e-mail: brad@eyeis.net

Hope you enjoy the app!

Brad Shoop

Release Notes

Version 2.0
Jan. 1, 2013

IMPORTANT - Security Onion for Splunk 2.0 supports the latest release of Security Onion 12.04. If you are running the older version, Security Onion 10.04, please continue to use version 1.1.7.

Sideview Utils is now a required app, available from Splunkbase.

2.0 contains updated log sources and field extractions for Security Onion 12.04, includes several updated/enhanced dashboards including Overview, IR Search and SOstat, and introduces the new dashboard "Bro(wser)" for reviewing Bro IDS logs.

Version 1.1.7
Sept. 14, 2012

1.1.7 - Tweaked Sguil indexing to prevent Bro URL data from being duplicated into Splunk via sguild.log. - Monitors dashboard field name drop down selections added to all panels. - General Mining dashboard added panels for Bro SSH logs and Bro HTTP TLDs (top level domains). Also added drop down options for Bro FTP and IRC panels. - Squil Mining has been updated and improved. - Syslog Mining dashboard added for Bro Syslog. - An Event Workflow was added for searching Splunk for events by src_ip.…and last but not least: - CIF Dashboards! See README for details on how to configure CIF integration.

Version 1.1.6
Aug. 24, 2012

1.1.6 - Sguil mining - added ability to drilldown on source or destinations to timechart of activty by sourcetype for selected IP.

Version 1.1.5
Aug. 24, 2012

1.1.5 - Performance improvements on several dashboards and fixed a bug in Sguil mining.

Version 1.1.4
Aug. 4, 2012

1.1.4 - Minor bug fix to IDS rule reference full document lookup.

Version 1.1.3
July 21, 2012

1.1.3 - Added SOstat IDS Rules: indexes /etc/nsm/rules/*.rules and provides an easy to use interface for referencing rules for tuning. Sort by classtype, category, enabled status, and/or rule source and drilldown on a rule to see it's activity history and the full rule entry complete with Splunk event workflow lookups by BugtraqID, CVE ID and URL.

  • Added VRT reference workflow lookup. For Sguil events with a sig_id, you can now use the Events view workflow menu to view the Snort signature reference document in a new window, when available.

  • Added SOstat ability to sort by sensor to provide
    better monitoring of a distributed deployment.

See README and http://eyeis.net/2012/07/security-onion-for-splunk-1-1-3-ids-rule-reference/ for full details.

Version 1.1.2
July 8, 2012

Workflow field and event search items added for CIF, DShield and Robtex. Most panel
drilldowns have been changed from table views to event listing views. The primary reason
(while less aesthetic) is accessibility to the workflow queries, which will allow you to
efficiently query domains, IPs, and hashes without disrupting your workflow and visiblity
(i.e., results spawn in new windows/tabs).

Version 1.1.1
June 22, 2012

1.1.1 - Minor update to get src_ip into Known Knowns and fix a typo. Also tweaked sguild inputs to better support non-standard timezone setting environments.

Version 1.1
June 19, 2012


I've added an input for Bro's capture_loss.log which now displays on the SOstat Security Onion monitor in a time chart paired with Snort packet loss. To enable this log in Bro edit:
and add the following:
@load misc/capture-loss
You'll have to check and install Bro for the change to get loaded.
sudo broctl
and you're done. It takes a few before the first logged event will show so give it a bit before you worry if it's working.

I also tweaked the sguild inputs to exclude "{URL" events. This data is already being consumed via bro_http so it should cut down on the licensing volume.

Monitors Dashboard
- Returned misc-activity to the Sguil panel.
- Added date/time and raw event to drill down display for the FTP Args panel.

- A drop down list has been added to GeoIP allowing you to search GeoIP by sourcetype which should reduce query times for more targeted views. The map also now includes drill down capabilities with results appearing below the map when selected.

- Added drill down to the time chart panels for HTTP and SMTP mining
- Added a PADS dashboard (similar to HTTP and SMTP mining) searchable by Name, Classification, Source IP, Source Port, Destination IP, Destination Port, Protocol, and Severity.
- Added a Known Knowns dashboard. Includes: Known Services; Known Software searchable by Name and Type; and Known Certs searchable by Country, Common Name, Certificate Issuer Subject, Location, Organization, Organizational Unit, Port Number, State, and Certificate Subject.

- Created an event type for PADS in addition to the PADS Mining dashboard.

- Updated SOstat SO to include Bro capture loss in addition to Snort packet loss.

Version 1.0
May 24, 2012
Version 0.9
May 10, 2012

Bro's http.log will be using a log file per interface in mutli-interface sensors. This update adds a data input to capture them.

Version 0.8
April 27, 2012

Added CIF (Collective Intelligence Framework: http://code.google.com/p/collective-intelligence-framework/) query capability to the field and event menus in Splunk. For the links to work you will need to update the workflow actions for your CIF server and a valid API key. Edit the workflow via Splunk Manager > Fields > Workflow action from the Security Onion app context and you should see two CIF entries.

Version 0.7
April 24, 2012

SOstat update to include folder sizes. Mining menu additions: HTTP mining and SMTP mining.

Version 0.6
April 22, 2012

Added Bro stats.log monitoring to SOstat Server/Service Status panel (sourcetype = bro_stats). Added Bro irc.log monitoring to Mining dashboard (sourcteype = bro_irc). Added Bro smtp_entities filename monitoring to Mining dashboard (sourcetype = bro_smtp_entites)

Version 0.5
April 15, 2012

Subscribe Share

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
Splunk, Splunk>,Turn Data Into Doing, Data-to-Everything, and D2E are trademarks or registered trademarks of Splunk Inc. in the United States and other countries. All other brand names,product names,or trademarks belong to their respective owners.