Getting Data In

Currently not seeing any eve.json data coming from the suricata box to the Splunk server

wyomoose
Engager
[monitor:///var/log/suricata/eve.json]

disabled=true

sourcetype= suricata

index = suricata

Currently not seeing any  eve.json data coming from the suricata box to the splunk server? We do get other logs like the syslog but no eve.json data? Tried throwing the TA out in the APPs folder on the server that didn't work. Added index = suricata to the server and it doesn't find it. Any help would be appreciated.  Instructions on deploying the app would be nice. 

Labels (1)
Tags (1)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

Wait a second. Your description is a bit chaotic.

1. You say that you get other events from the suricata box. How are you ingesting them? Do you have  forwarder installed on the suricata box?

2. Did you deploy the addon with the enabled input to the forwarder on the suricata box?

3. Did you verify the inputs on the forwarder?

splunk btool inputs list monitor

splunk list monitor

splunk list inputstatus

4. Did you check splunkd.log from the suricata box for errors regarding eve.json? (Especially permission-related ones)

wyomoose
Engager

You say that you get other events from the suricata box. How are you ingesting them? Do you have  forwarder installed on the suricata box?

Yes we have a Universal Forwarder on the suricata box. Currently it is set to monitor syslogs which we see in the search head web app. 

2. Did you deploy the addon with the enabled input to the forwarder on the suricata box? Copied the TA to  /opt/splunkforwarder/etc/apps/Ta-suricata on the suricata box. 

3.3. Did you verify the inputs on the forwarder? yes

btool    host= splunk-nat-sec, index= suricata, sourcetype = suricata, [monitor:///var/log/suricata/eve.json]

splunk list monitor

/var/log/suricata/eve.json,  /var/log/syslog

splunk list input status

/var/log/suricata/eve.json, file position = 6824003470, file size = 143583971149,  percent = 4.75, type = reading (batch)

splunkd. log has Warn Tailreader [ tailreader0] - Enquueing a very large file=/var/log/suricata/eve.json ..... readinf of other large files could be delayed.

Then an INFO about trimming input to first line

Then an INFO about shutting down while reading file

/var/log/suricata/eve.json

Then INfO about Batch file input finished reading the file. 

It isn't in a spot I can copy and paste. Maybe this is enough. Thanks for your help.  

 

 

0 Karma

PickleRick
SplunkTrust
SplunkTrust

And are you sure the data isn't being indexed with wrong timestamp? Did you check the index contents outside of the supposed time ranges.

0 Karma

wyomoose
Engager

in a search of all time on the GUI nothing came up. Checked SplunkD on the server it has Failed to Parse TImeStamp in first MAX_TIMESTAMP_LOOKHEAD ....defaulting to timestamp of previous event...context: source=var/log/suricata.eve. It also complains about too many events with the same timestamp. So do we need to add json_no_timestamp somehwere  maybe in a props file? Wouldn't the app tell it how to parse it?    

0 Karma

PickleRick
SplunkTrust
SplunkTrust

That's interesting though because my whole config for ingesting suricata's eve.log boils down to this:

[monitor:///var/log/suricata/eve.json]
disabled = false
host = backup
index = net
sourcetype = suricata

I don't even have anything configured for the suricata sourcetype. It just automatically gets parsed as json. I should get it configured more reasonably but it's my home lab server so I don't mind.

0 Karma

wyomoose
Engager

Thats the input file on the suricata server? Do you have the Suricata-TA installed on the forwarder or the server or both or are you even using the Suricata-TA. 

0 Karma

PickleRick
SplunkTrust
SplunkTrust

That's the funny part - I don't even have the TA. But I admit I haven't really gotten to the "let's use that data in any way" part which means I didn't care for extractions or CIM-compliance. I wasn't even aware that there is a TA for suricata. I just added an input to pull the events to splunk and that's it.

0 Karma

wyomoose
Engager

But on the server, you see the events, can search the event, etc? Guess what are you doing with the data? 

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Yes, they are indexed, and I can search them, they are getting parsed as they are jsons so by default Splunk does autokv on json events.

0 Karma

wyomoose
Engager

Thanks maybe we just need to chuck the TA and just do it your way. Thanks man

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Well, the TA seems to not have been updated for the last 5 years. Might be outdated.

0 Karma

wyomoose
Engager

Thanks for the help. Changed it and still no eve.json data on the server.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The input is disabled (disabled=true) so nothing will be read from the file.  Set disabled=false and restart the Splunk instance.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...