- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Forwarding snort /var/log/snort/alert, universal f...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Greetings Splunkbase,
I'm working on configuring my first universal forwarder - I have a Splunk implementation with multiple syslogs and files being indexed from various sources, but now that I'm looking to forward snort_alert_full logs, I'm heading into unfamiliar territory.
What I know:
- I'm seeing a heartbeat to the indexing / receiving server, but no data being sent. If I tail /var/log/snort/alert, I see full alerts being generated, but no additional network traffic on tcp port 9997 between the two servers. I do, however, consistently see the heartbeat every few seconds (I think it's a heartbeat? Maybe it's trying to synchronize, connect, etc.?).
What I don't know:
- I created the "receiving" port 9997 on the Splunk indexer - is there anything more I need to do on the indexer?
Why, when I add a new user / password (Admin role is assigned) to my Splunk receiver, it isn't allowing me to authenticate remotely:
/opt/splunkforwarder/bin/splunk add forward-server 10.0.0.81:9997 -auth forward:test123
Returns:
Login failed
Login failed
Unauthorized
In
/opt/splunkforwarder/var/log/splunk/splunkd.log
I see:
02-08-2012 12:39:55.053 -0700 ERROR UserManagerPro - Login failed for unknown user="forward"
I am currently using the "admin:changeme" combo to authenticate for the moment, just for testing purposes.
- Are my .conf files correct?
I spent some time on splunkbase looking for common snort universal forwarder configurations.
Here are the contents of my inputs.conf and outputs.conf files:
inputs.conf
[default]
host = server.domain.local
[monitor:///var/log/snort/alert]
disabled = false
index = ids
sourcetype = snort_alert _full
outputs.conf
[tcpout]
maxQueueSize = 500KB
[tcpout]
defaultGroup = splunk
[tcpout:splunk]
disabled = false
server = 10.0.0.81:9997
compressed = false
Also, when I start the splunk forwarder, I see this:
02-08-2012 12:49:35.171 -0700 INFO TailingProcessor - Parsing configuration stanza: monitor:///var/log/snort/alert.
02-08-2012 12:49:35.171 -0700 INFO BatchReader - State transitioning from 2 to 0 (initOrResume).
02-08-2012 12:49:35.299 -0700 INFO TcpOutputProc - Connected to idx=10.0.0.81:9997
Thanks for the assistance - please let me know if I can provide any additional information!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, I'm here to eat crow - here's the fix.
- I had a space in my log source:
sourcetype = snort_alert _full
Changed to:
sourcetype = snort_alert_full
- My Snort server's time was off - Splunk will log syslog events at the time they are received, but the Splunk Forwarder maintains the time the log was generated on the source server.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, I'm here to eat crow - here's the fix.
- I had a space in my log source:
sourcetype = snort_alert _full
Changed to:
sourcetype = snort_alert_full
- My Snort server's time was off - Splunk will log syslog events at the time they are received, but the Splunk Forwarder maintains the time the log was generated on the source server.
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
