All Apps and Add-ons

Splunk for Snort Splunk Forwarder

jmoses52
New Member

Could someone provide some setup guides for getting snort logs sent over to splunk?

I have installed the splunk forwarder and set it up to send the snort logs located in /var/log/snort/ but splunk did not see it. I just sent over /var/log/ and splunk saw this just fine. Now does the snort logs need to be in a certain format? I am not able to read it with vim on my centos machine either.

I have messed with these files so many ways but nothing worked:
/opt/splunkforwarder/etc/apps/search/local/local.conf
/opt/splunkforwarder/etc/system/local/local.conf
/opt/splunkforwarder/etc/system/local/output.conf

I have also installed Splunk for Snort
and un tar'd it to /opt/splunkforwarder/etc/apps/ directory, but I dont know how to configure this.

So far this is how my .conf files are configured:

/opt/splunkforwarder/etc/apps/search/local/local.conf

[splunktcp://9997]
connection_host = ip

[monitor:///var/log/snort/] 
disabled = false
index = main
sourcetype = snort_alert_full
source = snort

/opt/splunkforwarder/etc/system/local/local.conf

[default]
host = snorthostname

[monitor:///var/log/snort/]
disabled = false
index = main
sourcetype = snort_alert_full
source = snort

/opt/splunkforwarder/etc/system/local/output.conf

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = 10.10.90.17:9997

[tcpout-server://10.10.90.17:9997] 

Is there something special I need to do on snort?

Verisions:
Snort: 2.9.9.0
CentOS 7
Splunk 6.5.2

0 Karma

fugglefeet
Explorer

Hi jmoses52,

Have you read the included README file that would be installed with Splunk for Snort? Also it would seem you have confused the two separate authors of two separate Splunk apps. Please also direct your queries pertaining to the relevant app (in this case Splunk for Snort which you have downloaded), to the relevant questions area (Splunk for Snort) and not across multiple questions areas. If all else fails, then contact the author (Patrik Nordlen) of Splunk for Snort https://splunkbase.splunk.com/apps/#/author/patrik .

If you have installed Snort for Splunk, then I can help you by directing you to the README file contained in the app.

fugglefeet

0 Karma

fugglefeet
Explorer

Hi jmoses52,

It would appear Barnyard2 is missing from the installation mentioned for the unified logs to be sent to Splunk.

Hope this helps.

fugglefeet

0 Karma

jmoses52
New Member

Also, why do I need barnyard when there is Spunk for Snort app? Shouldnt this take care of getting readable logs to splunk?

0 Karma

jmoses52
New Member

Is there a guide for this?
Is the download only available on github?
Do you need a sql db to setup it up?

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...