I have an odd problem. I just set up a splunk instance and its only monitoring local linux logs at the moment. The logs contain iptables logs that are feeding in correctly as I see the right fields (eventtype, signature, dst, dpt, src, action, etc.)
However, the odd thing is when I try to search on the eventtype or signature for iptables (eventtype=firewall-deny or signature=firewall), nothing comes back. This is despite the fact that when I hover over the signature field in the field discovery panel is shows 200+ events for signature=firewall.
I'm assuming the eventtype=firewall-deny is not working because it depends on signature working.
So, am I doing something wrong or is there something I need to do in order to get it working correctly?