Could someone provide some setup guides for getting snort logs sent over to splunk?
I have installed the splunk forwarder and set it up to send the snort logs located in /var/log/snort/ but splunk did not see it. I just sent over /var/log/ and splunk saw this just fine. Now does the snort logs need to be in a certain format? I am not able to read it with vim on my centos machine either.
I have messed with these files so many ways but nothing worked:
I have also installed Splunk for Snort
and un tar'd it to /opt/splunkforwarder/etc/apps/ directory, but I dont know how to configure this.
So far this is how my .conf files are configured:
[splunktcp://9997] connection_host = ip [monitor:///var/log/snort/] disabled = false index = main sourcetype = snort_alert_full source = snort
[default] host = snorthostname [monitor:///var/log/snort/] disabled = false index = main sourcetype = snort_alert_full source = snort
[tcpout] defaultGroup = default-autolb-group [tcpout:default-autolb-group] server = 10.10.90.17:9997 [tcpout-server://10.10.90.17:9997]
Is there something special I need to do on snort?
Have you read the included README file that would be installed with Splunk for Snort? Also it would seem you have confused the two separate authors of two separate Splunk apps. Please also direct your queries pertaining to the relevant app (in this case Splunk for Snort which you have downloaded), to the relevant questions area (Splunk for Snort) and not across multiple questions areas. If all else fails, then contact the author (Patrik Nordlen) of Splunk for Snort https://splunkbase.splunk.com/apps/#/author/patrik .
If you have installed Snort for Splunk, then I can help you by directing you to the README file contained in the app.
It would appear Barnyard2 is missing from the installation mentioned for the unified logs to be sent to Splunk.
Hope this helps.
Also, why do I need barnyard when there is Spunk for Snort app? Shouldnt this take care of getting readable logs to splunk?
Is there a guide for this?
Is the download only available on github?
Do you need a sql db to setup it up?