topic Re: Set sourcetype by source with props.conf not working in Deployment Architecture

Set sourcetype by source with props.conf not working

meatago — Sat, 03 Jul 2010 05:20:33 GMT

I'm using a lightweight forwarder installed on Ubuntu to forward snort alerts to my main splunk server.

On the main server my C:\Program Files\Splunk\etc\system\local\props.conf contains this

[source::/var/log/snort/alert.full] sourcetype = snort_alert_full

Why do all the snort alerts with source /var/log/snort/alert.full still have sourcetype 'snort' instead of 'snort_alert_full'.

Note: I'm trying to get Splunk for Snort 4.x to work. It requests all snort alerts with sourcetype 'snort_alert_full'.

Re: Set sourcetype by source with props.conf not working

Lowell — Sat, 03 Jul 2010 06:00:09 GMT

What is your configuration on the light forwarder? I think in newer Splunk version (4.0+) sourcetype can be specified on the lightweight forwarder. (Someone correct me if I'm wrong about this..... this is why I gave up on lightweight forwarders.)

Also, some of this may be helpful: What’s the best way to track down props.conf problems?

BTW, posting your inputs.conf and props.conf on the forwarder would be helpful. (You can add it to your question using the "edit" link.)

Re: Set sourcetype by source with props.conf not working

gkanapathy — Sat, 03 Jul 2010 07:32:47 GMT

Sourcetype is set in the input phase, i.e., in this case on the LWF, not on the indexer.

Please see: http://www.splunk.com/wiki/Where_do_I_configure_my_Splunk_settings%3F for more detail.

Re: Set sourcetype by source with props.conf not working

broller25 — Sat, 10 Jul 2010 04:58:46 GMT

The sourcetype might be getting set elsewhere in a file/location that takes precedence. If it were me, I'd:

find /opt/splunk/etc -name "*.conf" -exec grep -l snort {} \;

to look for possible candidates.

Re: Set sourcetype by source with props.conf not working

meatago — Sat, 10 Jul 2010 06:42:13 GMT

thanks this helped alot

Re: Set sourcetype by source with props.conf not working

Ayn — Mon, 09 Aug 2010 12:42:39 GMT

The Splunk for Snort app renames the sourcetype, so "snort_alert_fast" and "snort_alert_full" both become "snort". Check $SPLUNK_HOME/etc/apps/SplunkforSnort/props.conf for details.

The reason why you can't just set the sourcetype to "snort" right away is that the format of the alert files (particularly full) requires Splunk to parse them a bit differently depending on whether you have fast or full. Once that initial parsing is done though, it's all just "snort" to Splunk. All field extractions etc in the app refer to the "snort" sourcetype, so if that's what you got it should all be working properly.

I just uploaded a newer version of the app to Splunkbase that contains bugfixes and feature enhancements. Do let me know if you run into any problems as I've only been able to test the app on my own systems with my own logs - feedback is greatly appreciated!

Kind regards, Patrik

Re: Set sourcetype by source with props.conf not working

itboffin — Fri, 08 Oct 2010 17:41:40 GMT

Can anyone point me in the right direction, I just don't seem to be able to get any data to display in the snort app.

I've configured /etc/rsyslog.d/50-default.conf to send all logs to my snort server (windows)

. @@x.x.x.x:514

I've configured /etc/snort/snort.conf to output to /var/log/snort/alert.full & alert.fast

output alert_syslog: LOG_AUTH LOG_ALERT output alert_fast: alert.fast output alert_full: alert.full

I've opened the firewall on the Splunk server and tested connectivity to TCP 514, I already have other hosts sending event logs and syslog UDP 514 successfully.

I've added a TCP data input source type snort port 514, restarted snort but nothing, the app remains blank. What am I missing?