Blog :: Configuration

Splunk NetFlow Support: Viewing Your NetFlow in Splunk


The last time we showed you how to seamlessly integrate Splunk with Scrutinizer was all the way back in 2015. Since then, we have made quite a few changes to Scrutinizer and how our third-party integrations work.

Quick Recap On Splunk

For those of you who aren’t familiar with Splunk, it is a scalable SIEM solution. Since 2007, Splunk’s end users have been able to collect information on their network, endpoints, malware, vulnerabilities, and username-to-IP correlation.

During my time here at Plixer, I have heard many good things about Splunk and spoken with a lot of customers who enjoy using it. Sounds great, huh? Well, since we know Scrutinizer is awesome and Splunk is pretty awesome as well, we don’t want to make you choose between solutions. If you would like to explore some of what Splunk has to offer and learn more, you can follow this link.

Let’s integrate!

Teamwork makes the dream work! Once we have finished integratSplunk NetFlow support: teamwork makes the dream working our Scrutinizer-to-Splunk solution, you will be able to take an IP, username, website, port number, etc. seen in Scrutinizer and jump over to Splunk and look at the additional info Splunk has gathered. Pretty sweet, huh? So how do we get this rolling?

Before we start, I want to note that this works with versions 17 and higher of Scrutinizer. If you’re running an older version of Scrutinizer, you can follow this blog here to update. First, we need to SSH into Scrutinizer as the root user. If you have a distributed setup, I recommend doing this on your primary reporting server.

Now that you have established an SSH connection to Scrutinizer, issue the command scrut_util.exe. This will drop you into the Scrutinizer prompt.

Once you are in the prompt, the next command you will need to enter is enable splunk http://<ip:port><syslogport>. This will tell Scrutinizer where to connect to Splunk so you can quickly jump from one application to another.

Now what?

Now, you can seamlessly jump from one application to another! Now that your integration is all set, after running a report in Scrutinizer, It should look something like this:

Scrutinizer-Splunk integration

Say you have an IP address that is involved in some suspicious activity, but you aren’t sending NetFlow from all your device to Scrutinizer. You do know, however, that you have all of your devices sending flows to Splunk. Now you can select the IP in the Scrutinizer report, choose “Other Options,” and then “Splunk.” Scrutinizer will connect to your Splunk instance and search for the IP you’ve selected, dropping you into a report. There certainly is something to be said for teamwork between solutions, especially since in this day and age, most IT departments use more than one solution. If you would like to learn more about how we work with SIEM solutions, you can read about that here.

As always, if you run into any issues with your integration and would like some help, please don’t hesitate to reach out to our support team. If you don’t have Scrutinizer and would like to test out this integration, you can always give us a try as well!

Happy monitoring!