All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

i can't see logs from snort

iro4459
New Member
‎10-29-2019 10:54 PM

I try to get my Snort logs in Splunk but i couldn't, i found many tutorials but they are related almost all for Centos or they are old. My indexer and forwarder are Debian. I have installed Splunk for Snort.

Here some information about my forwarder inputs.conf

[monitor:///var/log/snort]
disabled = false
index = snort
sourcetype = snort

[monitor:///var/log/snort/snort.log.*]
disabled = false
index = snort
sourcetype = snort

[monitor:///var/log/syslog]
disabled = false
sourcetype = security

Here some information about my forwarder outputs.conf

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = 192.168.145.131:9997

[tcpout-server://192.168.145.131:9997]

Both files (inputs.conf & outputs.conf) are located in /opt/splunkforwarder/etc/system/local/

It is important to mention that I can visualize logs from /var/log/syslog

But I'm not seeing anything in Splunk Search. I really appreciate your help to find a solution.

Tags (2)
0 Karma
Reply

wenthold
Communicator
‎10-30-2019 06:17 AM

There could be a number of reasons - the first thing I would check is the permissions.

Are you running Splunk as a service on the box? If so, are you running it as root or a user account? If you're running it as a service account you have to make sure the account as access to read the file. Are you ingesting other logs from this system, and if so are those being forwarded?

I would normally start looking at the splunkd.log file on the host for an idea. grep "/var/log/snort/" /opt/splunkforwarder/var/log/splunk/splunkd.log assuming Splunk is installed in /opt/splunkforwarder, adjust the path as necessary.

If you are running with non-root service account and want to verify permissions, then run this with an account that has sudo access:

sudo su - splunk -s /bin/sh -c 'tail -n 1 $(find /var/log/snort/ -maxdepth 1 -type f -iname 'snort.log.*' -mtime -1 | tail -n 1)'

This assumes that you're running Splunk using the service account "splunk", if you're using a different non-root service account then change "sudo su - splunk ..." to "sudo su - {your service account}"

I also don't think you need the stanza "[monitor:///var/log/snort]" since you have "[monitor:///var/log/snort/snort.log.*]"

good luck!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...