I try to get my Snort logs in Splunk but i couldn't, i found many tutorials but they are related almost all for Centos or they are old. My indexer and forwarder are Debian. I have installed Splunk for Snort.
Here some information about my forwarder inputs.conf
[monitor:///var/log/snort]
disabled = false
index = snort
sourcetype = snort
[monitor:///var/log/snort/snort.log.*]
disabled = false
index = snort
sourcetype = snort
[monitor:///var/log/syslog]
disabled = false
sourcetype = security
Here some information about my forwarder outputs.conf
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = 192.168.145.131:9997
[tcpout-server://192.168.145.131:9997]
Both files (inputs.conf & outputs.conf) are located in /opt/splunkforwarder/etc/system/local/
It is important to mention that I can visualize logs from /var/log/syslog
But I'm not seeing anything in Splunk Search. I really appreciate your help to find a solution.
... View more