All Apps and Add-ons

i can't see logs from snort

iro4459
New Member

I try to get my Snort logs in Splunk but i couldn't, i found many tutorials but they are related almost all for Centos or they are old. My indexer and forwarder are Debian. I have installed Splunk for Snort.

Here some information about my forwarder inputs.conf

[monitor:///var/log/snort]
disabled = false
index = snort
sourcetype = snort

[monitor:///var/log/snort/snort.log.*]
disabled = false
index = snort
sourcetype = snort

[monitor:///var/log/syslog]
disabled = false
sourcetype = security

Here some information about my forwarder outputs.conf

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = 192.168.145.131:9997

[tcpout-server://192.168.145.131:9997]

Both files (inputs.conf & outputs.conf) are located in /opt/splunkforwarder/etc/system/local/

It is important to mention that I can visualize logs from /var/log/syslog

But I'm not seeing anything in Splunk Search. I really appreciate your help to find a solution.

Tags (2)
0 Karma

wenthold
Communicator

There could be a number of reasons - the first thing I would check is the permissions.

Are you running Splunk as a service on the box? If so, are you running it as root or a user account? If you're running it as a service account you have to make sure the account as access to read the file. Are you ingesting other logs from this system, and if so are those being forwarded?

I would normally start looking at the splunkd.log file on the host for an idea. grep "/var/log/snort/" /opt/splunkforwarder/var/log/splunk/splunkd.log assuming Splunk is installed in /opt/splunkforwarder, adjust the path as necessary.

If you are running with non-root service account and want to verify permissions, then run this with an account that has sudo access:

sudo su - splunk -s /bin/sh -c 'tail -n 1 $(find /var/log/snort/ -maxdepth 1 -type f -iname 'snort.log.*' -mtime -1 | tail -n 1)'

This assumes that you're running Splunk using the service account "splunk", if you're using a different non-root service account then change "sudo su - splunk ..." to "sudo su - {your service account}"

I also don't think you need the stanza "[monitor:///var/log/snort]" since you have "[monitor:///var/log/snort/snort.log.*]"

good luck!

0 Karma
Get Updates on the Splunk Community!

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...