Using an MSSP? Want your Splunk Server to send them data?

One of our sales reps, Jon Hart (who’s a real security log analysis vet), told me he’s had a lot of customers ask him about using Splunk along with an MSSP service. He asked me to do a quick post about it.

MSSP stands for Managed Security Service Provider. MSSPs outsource your security monitoring function. They usually do this by placing a box onsite in your datacenter. You send it security-relevant logs in real time, usually via syslog. These logs are filtered by the box down to a subset that are relevant to alerting on network intrusions and other security incidents, which are then sent over a VPN to the MSSP. The MSSPs staff security operations centers (SOCs) 24/7 to look at alerts from all of their customers and decide which ones need immediate action.

What MSSPs don’t do is capture 100% of your log data for long term retention, forensics, and reporting – they can’t, since it would be impractical to send that much data over the network from your datacenter to theirs.

You still need to look at your log data yourself everyday for routine troubleshooting, security investigations, electronic discovery requests, etc. – that’s where Splunk comes in. Splunk also gives you real-time distributed input from logfiles, which can be used to capture non-syslog datasources and send them to the MSSP box to be included in their security monitoring.

The trick is to hijack Splunk-2-Splunk data forwarding, which by default sends data from one Splunk Server to other Splunk Servers. You can send it to any host and port, including your MSSP’s onsite box that’s already listening for syslog.

We just put up a documentation topic describing how to do this: How to forward data to non-Splunk systems.

Posted by