All Apps and Add-ons

i can't see logs from snort

iro4459
New Member

I try to get my Snort logs in Splunk but i couldn't, i found many tutorials but they are related almost all for Centos or they are old. My indexer and forwarder are Debian. I have installed Splunk for Snort.

Here some information about my forwarder inputs.conf

[monitor:///var/log/snort]
disabled = false
index = snort
sourcetype = snort

[monitor:///var/log/snort/snort.log.*]
disabled = false
index = snort
sourcetype = snort

[monitor:///var/log/syslog]
disabled = false
sourcetype = security

Here some information about my forwarder outputs.conf

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = 192.168.145.131:9997

[tcpout-server://192.168.145.131:9997]

Both files (inputs.conf & outputs.conf) are located in /opt/splunkforwarder/etc/system/local/

It is important to mention that I can visualize logs from /var/log/syslog

But I'm not seeing anything in Splunk Search. I really appreciate your help to find a solution.

Tags (2)
0 Karma

wenthold
Communicator

There could be a number of reasons - the first thing I would check is the permissions.

Are you running Splunk as a service on the box? If so, are you running it as root or a user account? If you're running it as a service account you have to make sure the account as access to read the file. Are you ingesting other logs from this system, and if so are those being forwarded?

I would normally start looking at the splunkd.log file on the host for an idea. grep "/var/log/snort/" /opt/splunkforwarder/var/log/splunk/splunkd.log assuming Splunk is installed in /opt/splunkforwarder, adjust the path as necessary.

If you are running with non-root service account and want to verify permissions, then run this with an account that has sudo access:

sudo su - splunk -s /bin/sh -c 'tail -n 1 $(find /var/log/snort/ -maxdepth 1 -type f -iname 'snort.log.*' -mtime -1 | tail -n 1)'

This assumes that you're running Splunk using the service account "splunk", if you're using a different non-root service account then change "sudo su - splunk ..." to "sudo su - {your service account}"

I also don't think you need the stanza "[monitor:///var/log/snort]" since you have "[monitor:///var/log/snort/snort.log.*]"

good luck!

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.