I'm a bit stuck with this. This is my situation:
- I've installed Snort between the LAN and its GW and all traffic has to go through Snort. This is working perfectly.
- Snort has enabled 2 outputs. 1) unified2, used to introduce data into a Snorby and 2) alert_fast to a file. This file is being readed by a splunk UF and sent to the Indexer.
- I've installed Splunk for Snort on the indexer receiving Snort alert fast data, it's CIM compliant and should fit into an Enterprise Security environment. I think so at least. As the doc says, this data is being sourcetyped as snort_alert_fast. This app will process it and changes the sourcetype for snort once cim fields have been created. This is working too, I've double-checked it in the search panel.
Now, this is my problem. I can't find any kind of data regarding this in the Enterprise security APP.
- In which panel is it supposed to be showing statistics and data from Snort? I guess in any part of the threat menu, but every counter or graph is empty.
- How can I check if Snort data is being processes by the Splunk App for Enterprise Security?
Taking advantage of this question, Splunk for ES is not generating any Notable events... I have no clue about this.
