I am looking to get snort logs picked up by a light forwarder on Windows 2008. The light forwarder was easy to set up and is sending the server logs via ssl nicely.
I have snort all setup but am unsure of what snort outputs settings to choose for Snort and How to make the input for Splunk.
I have read this page http://layer8problem.blogspot.com/2009/03/collecting-snort-logs-with-splunk.html
but it doesn't go into the details of the two configs needed really, and talks about a lot of other settings that I am not sure are still needed in the newer versions here.
I am just going for "simple" right now, just a proof of concept that these two apps can play nicely in Windows 2008 and send the files out to the Splunk server. So my Splunk and Snort installs are out of the box basic no frills setups right now with nothing special going on.
Any help would be appreciated.
I finally boiled it down to
[monitor:c:\snort\log\alert.full*] sourcetype = snort_alert_full
in the search/local/inputs.conf on the forwarder, i think this will get it.
It works!!! Little red dots on the globe from every ip that has done something suspicious from multiple computers! This is too awesome.
Hey thanks everyone. I think I see where to add the settings on the forwarder
So I have a light forwarder (4.1.3) reading snort logs with the following configuration in /opt/splunk/etc/apps/search/local/inputs.conf:
[monitor:///var/log/by2/output/alert_full*] disabled = false followTail = 1 sourcetype = snort source = snort index = security
I assume here I will put in a windows style path like c:\snort\log\alert_full*.
I spent all day getting snort finally working right and am excited to see my snort log on my splunk server!
First, you may want to take a look at the app on splunkbase for snort with Splunk 4.x which you can find here.
The next step, and very important, is to add the snort files as your input in to Splunk. You can do this fairly easily through the web GUI. Just go to "Manager>>Data inputs" and you can add a new file or directory that you wish to monitor. Just be sure to add the correct sourcetype names as instructed on the App page under the installation section ("snort_alert_full" or "snort_alert_fast"). Once you have these defined and the correct files are being monitored (default log directory for snort I believe is /var/log/snort) you should see data being indexed. Here is a tutorial for Splunk that helps you get started with adding inputs to Splunk
The other file you may be referencing is the props.conf file. I don't believe that you will need to do any editing for that file at the moment, but if you do then you will want to check out the the documentation for that file which can be found here
Check out the Splunk for Snort app on Splunkbase. I would set up an input for the snort log files on your light forwarder, and make sure to assign the appropriate snort sourcetype as discussed in the Splunk for Snort app's readme. Everything should work automagically then 🙂