I try to get my Snort logs in Splunk but i couldn't, i found many tutorials but they are related almost all for Centos or they are old. My indexer and forwarder are Debian. I have installed Splunk for Snort.
Here some information about my forwarder inputs.conf
[monitor:///var/log/snort]
disabled = false
index = snort
sourcetype = snort
[monitor:///var/log/snort/snort.log.*]
disabled = false
index = snort
sourcetype = snort
[monitor:///var/log/syslog]
disabled = false
sourcetype = security
Here some information about my forwarder outputs.conf
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = 192.168.145.131:9997
[tcpout-server://192.168.145.131:9997]
Both files (inputs.conf & outputs.conf) are located in /opt/splunkforwarder/etc/system/local/
It is important to mention that I can visualize logs from /var/log/syslog
But I'm not seeing anything in Splunk Search. I really appreciate your help to find a solution.
There could be a number of reasons - the first thing I would check is the permissions.
Are you running Splunk as a service on the box? If so, are you running it as root or a user account? If you're running it as a service account you have to make sure the account as access to read the file. Are you ingesting other logs from this system, and if so are those being forwarded?
I would normally start looking at the splunkd.log file on the host for an idea. grep "/var/log/snort/" /opt/splunkforwarder/var/log/splunk/splunkd.log
assuming Splunk is installed in /opt/splunkforwarder, adjust the path as necessary.
If you are running with non-root service account and want to verify permissions, then run this with an account that has sudo access:
sudo su - splunk -s /bin/sh -c 'tail -n 1 $(find /var/log/snort/ -maxdepth 1 -type f -iname 'snort.log.*' -mtime -1 | tail -n 1)'
This assumes that you're running Splunk using the service account "splunk", if you're using a different non-root service account then change "sudo su - splunk ..." to "sudo su - {your service account}"
I also don't think you need the stanza "[monitor:///var/log/snort]" since you have "[monitor:///var/log/snort/snort.log.*]"
good luck!