Solved: Re: SPLUNK for SNORT not working

thunbolt22 · ‎07-05-2013

I am trying to get SPLUNK for SNORT up and running with no luck. I am new to SNORT,SPLUNK, and linux in gerneral. But here is what i have.
CentOS running SNORT and producing an ALERT and log file
Windows PC running SPLUNK

I setup the universal forwarder and all my SNORT alerts appear in SPLUNK as sourcetype snort_alert_full using the following command:
/opt/splunkforwarder/bin/splunk add monitor /etc/log/snort/ -index main -sourcetype snort_alert_full

When viewing in Splunk for snort i have no results. my understanding is that when the data is processed it should be renames from snort_alert_full to snort, i dont see this happeneing. And cannot search for src_ip as it is not being indexed properly.

Is there something i have to do to get Splunk for snort to process the data and index it properly?

thunbolt22 · ‎07-08-2013

I ended up reinstalling Splunk for Snort and everything worked.

View solution in original post

praveen_recker · ‎10-05-2013

http://www.disects.com/whitepapers/Logging_Snort_alerts_to_Syslog_and_Splunk.pdf

thunbolt22 · ‎07-08-2013

I ended up reinstalling Splunk for Snort and everything worked.

starcher · ‎07-06-2013

Try changing snort to alert fast. Then same for the file monitor for the splunk forwarder

SPLUNK for SNORT not working

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation