All Apps and Add-ons

SPLUNK for SNORT not working

thunbolt22
Engager

I am trying to get SPLUNK for SNORT up and running with no luck. I am new to SNORT,SPLUNK, and linux in gerneral. But here is what i have.
CentOS running SNORT and producing an ALERT and log file
Windows PC running SPLUNK

I setup the universal forwarder and all my SNORT alerts appear in SPLUNK as sourcetype snort_alert_full using the following command:
/opt/splunkforwarder/bin/splunk add monitor /etc/log/snort/ -index main -sourcetype snort_alert_full

When viewing in Splunk for snort i have no results. my understanding is that when the data is processed it should be renames from snort_alert_full to snort, i dont see this happeneing. And cannot search for src_ip as it is not being indexed properly.

Is there something i have to do to get Splunk for snort to process the data and index it properly?

0 Karma
1 Solution

thunbolt22
Engager

I ended up reinstalling Splunk for Snort and everything worked.

View solution in original post

0 Karma

praveen_recker
New Member
0 Karma

thunbolt22
Engager

I ended up reinstalling Splunk for Snort and everything worked.

View solution in original post

0 Karma

starcher
SplunkTrust
SplunkTrust

Try changing snort to alert fast. Then same for the file monitor for the splunk forwarder

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!