When trying to install the Splunk add-on for Snort on Enterprise Security the following error is shown:
Is it needed to install this add-on in order to view data from the Snort alert.ids file? And if so, is there anyway to solve this error?
I am using the same alert.ids on the Splunk for Snort app and there is data shown.
Tested on Splunk 6.2.0 for both Windows 8 and Ubuntu with the same error shown.
Tested on Splunk 6.0.1 and 6.2.0 on a seperate computer also on Windows 8.
I can't tell what you're trying to do... Neither TA-snort (old addon that ships with ES) nor Splunk_TA_sourcefire (new addon that also supports Snort) need or have a setup process.
Your snort logs should be in a directory somewhere, tell Splunk to monitor it and set the sourcetype to snort.
I can't tell what you're trying to do... Neither TA-snort (old addon that ships with ES) nor Splunk_TA_sourcefire (new addon that also supports Snort) need or have a setup process.
Your snort logs should be in a directory somewhere, tell Splunk to monitor it and set the sourcetype to snort.
Thanks for the help! I was trying to get the Snort data to appear on Intrusion Center but nothing was showing. I thought that it might have been something to do with the add-ons so I was trying to look into it. I have now realised that it might have been a problem with my Snort log files.
Sorry for the inconvenience as I am new to Splunk!