Deployment Architecture

Set sourcetype by source with props.conf not working

Explorer

I'm using a lightweight forwarder installed on Ubuntu to forward snort alerts to my main splunk server.

On the main server my C:\Program Files\Splunk\etc\system\local\props.conf contains this

[source::/var/log/snort/alert.full]
sourcetype = snort_alert_full

Why do all the snort alerts with source /var/log/snort/alert.full still have sourcetype 'snort' instead of 'snort_alert_full'.

Note: I'm trying to get Splunk for Snort 4.x to work. It requests all snort alerts with sourcetype 'snort_alert_full'.

Tags (1)
0 Karma
1 Solution

Splunk Employee
Splunk Employee

Sourcetype is set in the input phase, i.e., in this case on the LWF, not on the indexer.

Please see: http://www.splunk.com/wiki/Where_do_I_configure_my_Splunk_settings%3F for more detail.

View solution in original post

New Member

Can anyone point me in the right direction, I just don't seem to be able to get any data to display in the snort app.

I've configured /etc/rsyslog.d/50-default.conf to send all logs to my snort server (windows)

. @@x.x.x.x:514

I've configured /etc/snort/snort.conf to output to /var/log/snort/alert.full & alert.fast

output alert_syslog: LOG_AUTH LOG_ALERT output alert_fast: alert.fast output alert_full: alert.full

I've opened the firewall on the Splunk server and tested connectivity to TCP 514, I already have other hosts sending event logs and syslog UDP 514 successfully.

I've added a TCP data input source type snort port 514, restarted snort but nothing, the app remains blank. What am I missing?

0 Karma

Legend

The Splunk for Snort app renames the sourcetype, so "snort_alert_fast" and "snort_alert_full" both become "snort". Check $SPLUNK_HOME/etc/apps/SplunkforSnort/props.conf for details.

The reason why you can't just set the sourcetype to "snort" right away is that the format of the alert files (particularly full) requires Splunk to parse them a bit differently depending on whether you have fast or full. Once that initial parsing is done though, it's all just "snort" to Splunk. All field extractions etc in the app refer to the "snort" sourcetype, so if that's what you got it should all be working properly.

I just uploaded a newer version of the app to Splunkbase that contains bugfixes and feature enhancements. Do let me know if you run into any problems as I've only been able to test the app on my own systems with my own logs - feedback is greatly appreciated!

Kind regards, Patrik

0 Karma

Explorer

The sourcetype might be getting set elsewhere in a file/location that takes precedence. If it were me, I'd:

find /opt/splunk/etc -name "*.conf" -exec grep -l snort {} \;

to look for possible candidates.

0 Karma

Splunk Employee
Splunk Employee

Sourcetype is set in the input phase, i.e., in this case on the LWF, not on the indexer.

Please see: http://www.splunk.com/wiki/Where_do_I_configure_my_Splunk_settings%3F for more detail.

View solution in original post

Explorer

thanks this helped alot

0 Karma

Super Champion

What is your configuration on the light forwarder? I think in newer Splunk version (4.0+) sourcetype can be specified on the lightweight forwarder. (Someone correct me if I'm wrong about this..... this is why I gave up on lightweight forwarders.)

Also, some of this may be helpful: What’s the best way to track down props.conf problems?

BTW, posting your inputs.conf and props.conf on the forwarder would be helpful. (You can add it to your question using the "edit" link.)

0 Karma