Hey guys, looking for your guidance. I am currently trying to set up Snort version 2.9.15 on a standalone VM. I followed the guide on the official Snort site to install that version of Snort with Barnyard2 and PulledPork on Ubuntu Server 16.04. This process went well and works.
My issue comes in when forwarding logs to my Splunk server. Logs do reach my server, but they are just jargon. I have a local.rules file that has an ICMP test rule inside so I can test this config, and it does work on the Snort server. Below is a snippet of the logs I get:
(goes on and on)
I added a props.conf file to my /opt/splunkforwarder/etc/system/local directory (On my Snort server) that is below since originally I was getting no logs toward my Splunk server until I added the following:
I recently removed this file as a troubleshooting step and I was getting errors in my /var/log/messages that files were not sending due to them being binary (which I also got before). Introducing this props.conf file on my Snort server with the above options set does get logs to my Splunk server, but they aren't readable.
Below is my inputs.conf:
[default] host = piggy [monitor:///var/log/snort] disabled=false index=main sourcetype=snort_alert_full source=snort
And below is my outputs.conf:
[tcpout] defaultGroup = default-autolb-group [tcpout:default-autolb-group] server = 192.168.1.210:9997 [tcpout-server://192.168.1.210:9997]
I am using the Splunk For Snort App in Splunk, and I would like to normal logs in my Splunk to practice. Without props.conf Splunk blocks those jargon files from being created. I have a feeling it has something to do with Barnyard2, since its purpose is to use those u2 files and make them into something, but there are no files in /var/log/barnyard2. How can I get normal log files that I can see from the console (if I tested it that way) into Splunk itself?
I think, as per this post on the problem which says Barnyard2 is rather complex to set up, that it's your Barnyard2 configuration that's wrong. Also because it fits with the symptoms you are seeing.
Now, assuming the Snort files are in that unified format (and not in tcpdump format - see that link above), and that you have set up barnyard2 but that barnyard2 isn't actually creating files for Splunk to pick up, then ...?
This isn't quite really a Splunk problem. I'm not sure if you'll get any great answers here, but hopefully this will point you in the right directions to fix it or give you more information you can use to ask in a snort or barnyard2 set of forums.
There are a couple of examples at the bottom of the barnyard2 man pages:
The last part about "Testing" in the link below also gives an example:
Otherwise, I wish you well but I think you'll get better answers from reading through your favorite search engine's results for "barnyard2 help", or barnyard2's or snort's forums.
Do let us know what you find out, though! It would be a great help to anyone else who has this same or a similar question/problem!
Sorry for the long delay, I wanted to make sure everything was working before I posted what I did.
The solution I used renders Barnyard2 useless, as the alerts get written to /var/log/snort as a readable file versus to the MySQL database. If you're looking on how to set that up correctly, I'm sorry as this answer won't help with that.
This is a lab of mine at home, so all I wanted were Snort alerts to get into Splunk. I didn't care how it was done, as long as it was in there since I don't plan on keeping this specific install active. Anyway, I found the answer I was looking for in a Google Group, which I'll post below:
In the event the group gets deleted, I copied the answer below:
finally I can help someone here! I'm doing this now...
Download the universal forwarder from splunk. Make sure you get the appropriate one! Install it on your seconion box. It will install to /opt/splunkforwarder/
In your snort.conf file,
make sure you have:
output alert_full: alert.full
Restart Snort to push changes
alert.full will be in your config logdir:/somepath
In your splunk config files,
/opt/splunkforwarder/etc/system/local$ cat inputs.conf
index = anindexnamethatmakessincetoyouonyoursplunkSERVER
followTail = 1
sourcetype = snortalert_full
/opt/splunkforwarder/etc/system/local$ cat outputs.conf
restart your splunk forwarder
I'll keep an eye on this post incase you have problems.
Also note: I threw Snort/Barnyard2/PulledPork on an Ubuntu Server 16 VM, so I ignored the seconion stuff of the post above.
Hope this helps someone in the future!
@96nick If your problem is resolved, please accept an answer to help future readers.