Can anyone point me in the right direction, I just don't seem to be able to get any data to display in the snort app.
I've configured /etc/rsyslog.d/50-default.conf to send all logs to my snort server (windows)
. @@x.x.x.x:514
I've configured /etc/snort/snort.conf to output to /var/log/snort/alert.full & alert.fast
output alert_syslog: LOG_AUTH LOG_ALERT
output alert_fast: alert.fast
output alert_full: alert.full
I've opened the firewall on the Splunk server and tested connectivity to TCP 514, I already have other hosts sending event logs and syslog UDP 514 successfully.
I've added a TCP data input source type snort port 514, restarted snort but nothing, the app remains blank. What am I missing?
... View more