Splunk Enterprise Security

Why am I getting error"The path '/en-US/custom/TA-snort/taunixsetup/TA-snort/setup" when trying to install Splunk add-on for Snort?

kianhong1995
New Member

When trying to install the Splunk add-on for Snort on Enterprise Security the following error is shown:

http://imgur.com/hFRjCXf

Is it needed to install this add-on in order to view data from the Snort alert.ids file? And if so, is there anyway to solve this error?

I am using the same alert.ids on the Splunk for Snort app and there is data shown.
Tested on Splunk 6.2.0 for both Windows 8 and Ubuntu with the same error shown.
Tested on Splunk 6.0.1 and 6.2.0 on a seperate computer also on Windows 8.

0 Karma
1 Solution

jcoates_splunk
Splunk Employee
Splunk Employee

I can't tell what you're trying to do... Neither TA-snort (old addon that ships with ES) nor Splunk_TA_sourcefire (new addon that also supports Snort) need or have a setup process.

Your snort logs should be in a directory somewhere, tell Splunk to monitor it and set the sourcetype to snort.

View solution in original post

jcoates_splunk
Splunk Employee
Splunk Employee

I can't tell what you're trying to do... Neither TA-snort (old addon that ships with ES) nor Splunk_TA_sourcefire (new addon that also supports Snort) need or have a setup process.

Your snort logs should be in a directory somewhere, tell Splunk to monitor it and set the sourcetype to snort.

View solution in original post

kianhong1995
New Member

Thanks for the help! I was trying to get the Snort data to appear on Intrusion Center but nothing was showing. I thought that it might have been something to do with the add-ons so I was trying to look into it. I have now realised that it might have been a problem with my Snort log files.

Sorry for the inconvenience as I am new to Splunk!

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!