All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

i can't see logs from snort

iro4459
New Member
‎10-29-2019 10:54 PM

I try to get my Snort logs in Splunk but i couldn't, i found many tutorials but they are related almost all for Centos or they are old. My indexer and forwarder are Debian. I have installed Splunk for Snort.

Here some information about my forwarder inputs.conf

[monitor:///var/log/snort]
disabled = false
index = snort
sourcetype = snort

[monitor:///var/log/snort/snort.log.*]
disabled = false
index = snort
sourcetype = snort

[monitor:///var/log/syslog]
disabled = false
sourcetype = security

Here some information about my forwarder outputs.conf

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = 192.168.145.131:9997

[tcpout-server://192.168.145.131:9997]

Both files (inputs.conf & outputs.conf) are located in /opt/splunkforwarder/etc/system/local/

It is important to mention that I can visualize logs from /var/log/syslog

But I'm not seeing anything in Splunk Search. I really appreciate your help to find a solution.

Tags (2)
0 Karma
Reply

wenthold
Communicator
‎10-30-2019 06:17 AM

There could be a number of reasons - the first thing I would check is the permissions.

Are you running Splunk as a service on the box? If so, are you running it as root or a user account? If you're running it as a service account you have to make sure the account as access to read the file. Are you ingesting other logs from this system, and if so are those being forwarded?

I would normally start looking at the splunkd.log file on the host for an idea. grep "/var/log/snort/" /opt/splunkforwarder/var/log/splunk/splunkd.log assuming Splunk is installed in /opt/splunkforwarder, adjust the path as necessary.

If you are running with non-root service account and want to verify permissions, then run this with an account that has sudo access:

sudo su - splunk -s /bin/sh -c 'tail -n 1 $(find /var/log/snort/ -maxdepth 1 -type f -iname 'snort.log.*' -mtime -1 | tail -n 1)'

This assumes that you're running Splunk using the service account "splunk", if you're using a different non-root service account then change "sudo su - splunk ..." to "sudo su - {your service account}"

I also don't think you need the stanza "[monitor:///var/log/snort]" since you have "[monitor:///var/log/snort/snort.log.*]"

good luck!

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...