I am trying to get SPLUNK for SNORT up and running with no luck. I am new to SNORT,SPLUNK, and linux in gerneral. But here is what i have.
CentOS running SNORT and producing an ALERT and log file
Windows PC running SPLUNK
I setup the universal forwarder and all my SNORT alerts appear in SPLUNK as sourcetype snort_alert_full using the following command:
/opt/splunkforwarder/bin/splunk add monitor /etc/log/snort/ -index main -sourcetype snort_alert_full
When viewing in Splunk for snort i have no results. my understanding is that when the data is processed it should be renames from snort_alert_full to snort, i dont see this happeneing. And cannot search for src_ip as it is not being indexed properly.
Is there something i have to do to get Splunk for snort to process the data and index it properly?
I ended up reinstalling Splunk for Snort and everything worked.
Try changing snort to alert fast. Then same for the file monitor for the splunk forwarder