You say that you get other events from the suricata box. How are you ingesting them? Do you have  forwarder installed on the suricata box?

Yes we have a Universal Forwarder on the suricata box. Currently it is set to monitor syslogs which we see in the search head web app. 

2. Did you deploy the addon with the enabled input to the forwarder on the suricata box? Copied the TA to  /opt/splunkforwarder/etc/apps/Ta-suricata on the suricata box. 

3.3. Did you verify the inputs on the forwarder? yes

btool    host= splunk-nat-sec, index= suricata, sourcetype = suricata, [monitor:///var/log/suricata/eve.json]

splunk list monitor

/var/log/suricata/eve.json,  /var/log/syslog

splunk list input status

/var/log/suricata/eve.json, file position = 6824003470, file size = 143583971149,  percent = 4.75, type = reading (batch)

splunkd. log has Warn Tailreader [ tailreader0] - Enquueing a very large file=/var/log/suricata/eve.json ..... readinf of other large files could be delayed.

Then an INFO about trimming input to first line

Then an INFO about shutting down while reading file

/var/log/suricata/eve.json

Then INfO about Batch file input finished reading the file. 

It isn't in a spot I can copy and paste. Maybe this is enough. Thanks for your help.  

And are you sure the data isn't being indexed with wrong timestamp? Did you check the index contents outside of the supposed time ranges.

in a search of all time on the GUI nothing came up. Checked SplunkD on the server it has Failed to Parse TImeStamp in first MAX_TIMESTAMP_LOOKHEAD ....defaulting to timestamp of previous event...context: source=var/log/suricata.eve. It also complains about too many events with the same timestamp. So do we need to add json_no_timestamp somehwere  maybe in a props file? Wouldn't the app tell it how to parse it?    

That's interesting though because my whole config for ingesting suricata's eve.log boils down to this:

[monitor:///var/log/suricata/eve.json]
disabled = false
host = backup
index = net
sourcetype = suricata

I don't even have anything configured for the suricata sourcetype. It just automatically gets parsed as json. I should get it configured more reasonably but it's my home lab server so I don't mind.

Thats the input file on the suricata server? Do you have the Suricata-TA installed on the forwarder or the server or both or are you even using the Suricata-TA. 

That's the funny part - I don't even have the TA. But I admit I haven't really gotten to the "let's use that data in any way" part which means I didn't care for extractions or CIM-compliance. I wasn't even aware that there is a TA for suricata. I just added an input to pull the events to splunk and that's it.

But on the server, you see the events, can search the event, etc? Guess what are you doing with the data? 

Yes, they are indexed, and I can search them, they are getting parsed as they are jsons so by default Splunk does autokv on json events.

Thanks maybe we just need to chuck the TA and just do it your way. Thanks man

Well, the TA seems to not have been updated for the last 5 years. Might be outdated.