- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: Splunk for Snort no data being logged in App
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Everyone,
I'm new to splunk and snort, so please bear with me. I am setting up a test snort machine running splunk locally. I have configured logging within the snort.conf file, and I am able to see these logs in splunk, however, these logs are not being recognized by splunk for snort app. Meaning, no logs show when I switch to the app, I get no stats in the statistics dashboard, and I am unable to get any results when I run a report.
I am pulling these logs into splunk via local file. I have the following in my snort.conf file:
config logdir: C:\Snort\log
output alert_fast: alert.fast
output alert_full: alert.full
I have set up two data inputs in "files & directories" in Splunk. One is set up for C:\Snort\log\alert.full with a sourcetype of snort_alerts_full, and the other is set up for C:\Snort\log\alert.fast with the souretype of snort_alerts_fast. Within the search App I am able to view the logs in these sourcetypes and am able to verify the logs are full and fast alert logs from Snort. The Splunk for Snort App page located here seems to suggest the app is looking for my sourcetypes and will change the sourcetype to "snort" for use within the app, but that doesn't seem to be the case.
Any suggestions? I tried searching within the app for the sourcetypes above and was able to pull in logs, but the reports were wanting to run off sourcetype snort. Maybe I'll try changing the sourcetype to snort. Thanks for any help/suggestions.
I forgot, here's the command I'm using to start snort:
c:\snort\bin\snort -i2 -d -e -v -c c:\snort\etc\snort.conf
Dan
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You're saying the sourcetypes you are using are snort_alerts_fast and snort_alerts_full - unless that's a typo just in your question, that's your problem right there. The sourcetypes should be snort_alert_fast and snort_alert_full, respectively (without the s after alert).
On a sidenote, it's unlikely you want both fast and full in your index - full provides all information that fast provides, and adds a number of additional fields. So using both fast and full will result in what will look like lots of duplicate events, as every triggered alert will be logged to both fast and full.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You're saying the sourcetypes you are using are snort_alerts_fast and snort_alerts_full - unless that's a typo just in your question, that's your problem right there. The sourcetypes should be snort_alert_fast and snort_alert_full, respectively (without the s after alert).
On a sidenote, it's unlikely you want both fast and full in your index - full provides all information that fast provides, and adds a number of additional fields. So using both fast and full will result in what will look like lots of duplicate events, as every triggered alert will be logged to both fast and full.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I had a similar problem ingesting logs for SplunkforSnort. Using the UI to manually ingest the file from my local filesystem, I specified that I wanted to set the sourcetype manually to "snort_alert_fast". The data ingested, but searching for sourcetype="snort_alert_fast" came up with zero matches. HOWEVER, the data shows up in my SplunkforSnort app with the sourcetype now set to just "fast". It also shows outside the app, of course, but still with the sourcetype set to "fast".
Did Splunk disregard my manual input, or can apps change the sourcetype right under your nose, as it were?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Stupid typo on my part. Thanks Ayn. I have changed the sourcetype to snort_alert_full and the snort app is working as expected.
Thanks again.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well, you may be on to something there. I did write it down wrong, so I figure i typed it in wrong. I have changed the sourcetype to snort and that seems to of fixed the statistics and report issues. I noticed what you were saying about the full and fast logs. I have deleted that data input in splunk.
Just for giggles, I'm going to set the sourcetype to snort_alert_full to see what happens.
Thanks
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
