Greetings Splunkbase,
I'm working on configuring my first universal forwarder - I have a Splunk implementation with multiple syslogs and files being indexed from various sources, but now that I'm looking to forward snort_alert_full logs, I'm heading into unfamiliar territory.
What I know:
- I'm seeing a heartbeat to the indexing / receiving server, but no data being sent. If I tail /var/log/snort/alert, I see full alerts being generated, but no additional network traffic on tcp port 9997 between the two servers. I do, however, consistently see the heartbeat every few seconds (I think it's a heartbeat? Maybe it's trying to synchronize, connect, etc.?).
What I don't know:
Why, when I add a new user / password (Admin role is assigned) to my Splunk receiver, it isn't allowing me to authenticate remotely:
/opt/splunkforwarder/bin/splunk add forward-server 10.0.0.81:9997 -auth forward:test123
Returns:
Login failed
Login failed
Unauthorized
In
/opt/splunkforwarder/var/log/splunk/splunkd.log
I see:
02-08-2012 12:39:55.053 -0700 ERROR UserManagerPro - Login failed for unknown user="forward"
I am currently using the "admin:changeme" combo to authenticate for the moment, just for testing purposes.
I spent some time on splunkbase looking for common snort universal forwarder configurations.
Here are the contents of my inputs.conf and outputs.conf files:
inputs.conf
[default]
host = server.domain.local
[monitor:///var/log/snort/alert]
disabled = false
index = ids
sourcetype = snort_alert _full
outputs.conf
[tcpout]
maxQueueSize = 500KB
[tcpout]
defaultGroup = splunk
[tcpout:splunk]
disabled = false
server = 10.0.0.81:9997
compressed = false
Also, when I start the splunk forwarder, I see this:
02-08-2012 12:49:35.171 -0700 INFO TailingProcessor - Parsing configuration stanza: monitor:///var/log/snort/alert.
02-08-2012 12:49:35.171 -0700 INFO BatchReader - State transitioning from 2 to 0 (initOrResume).
02-08-2012 12:49:35.299 -0700 INFO TcpOutputProc - Connected to idx=10.0.0.81:9997
Thanks for the assistance - please let me know if I can provide any additional information!
Ok, I'm here to eat crow - here's the fix.
sourcetype = snort_alert _full
Changed to:
sourcetype = snort_alert_full
Ok, I'm here to eat crow - here's the fix.
sourcetype = snort_alert _full
Changed to:
sourcetype = snort_alert_full