Solved: Re: Why is Splunk for Snort only displaying data f...

rbt111 · ‎11-02-2011

OK I am not crazy here I've seen this on two different machines that I've been running SplunkforSnort on.

I set up the devices to pull from the '/var/log/snort/alert' log on the box and give them a manual sourcetype of 'snort'. When I first set both boxes up things worked great. Then after about 5-7 days the application exihibits a strange behavior. It only displays the data from 12am to 1am. Has anyone else experienced this?

When I tail -f the log file I see snort alerts coming in and even when I set SplunkforSnort to 1min realtime I see the number of scanned events increase but the results shows as zero.

I am using snort 2.9.0.4 and Splunk 4.2.3 if that helps.

rbt111 · ‎11-02-2011

Thank you for your assistance Ayn.

I see what is going on now my timestamp got messed up.

Example I'm showing

2/19/11
7:22:19.445 PM

For an alert @ 11/02-19:22:19.445432

It looks like I may need to modify something in props.conf but I'm not 100% sure.

View solution in original post

rbt111 · ‎11-02-2011

Thank you for your assistance Ayn.

I see what is going on now my timestamp got messed up.

Example I'm showing

2/19/11
7:22:19.445 PM

For an alert @ 11/02-19:22:19.445432

It looks like I may need to modify something in props.conf but I'm not 100% sure.

Ayn · ‎11-02-2011

Excellent. Do let me know if you have any more questions, comments or suggestions regarding the Snort app (I wrote it), and please vote it up if you find it useful 🙂

Also please mark my (or your) answer as accepted so it shows clearly on the site that this question is closed.

jbyrge0 · ‎03-20-2015

For an alert @ 11/02-19:22:19.445432

What is the .445432 part of that alert? is it milliseconds?

rbt111 · ‎11-02-2011

OK it appears to be working now. Just a simple matter of using the snort command with -y to include the year in the logs.

Ayn · ‎11-02-2011

Splunk for Snort relies on a number of field extractions to work. If you manually search for sourcetype="snort" in the default search app, do you get results with both correct timestamps and correct field extractions, for instance do you see the "src_ip" and "signature" fields to the left?

Ayn · ‎11-02-2011

If there are no matching events you're having a problem getting the snort events into Splunk. The scanned events you're seeing that is incrementing is simply ALL events in Splunk's index. If no events with sourcetype "snort" are found, it's because no such events exist in the index. Check your input.

rbt111 · ‎11-02-2011

I went to the default search app and entered sourcetype="snort" as you specified. It appears to be showing the same thing that the SplunkforSnort app shows meaning I can see scanned events incrementing but the number of matching events remains at zero. I do not see any of the field extractions in the left column with Field Discovery in the on position.

Why is Splunk for Snort only displaying data from 12AM to 1AM?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?