Hi Everyone,
I'm new to splunk and snort, so please bear with me. I am setting up a test snort machine running splunk locally. I have configured logging within the snort.conf file, and I am able to see these logs in splunk, however, these logs are not being recognized by splunk for snort app. Meaning, no logs show when I switch to the app, I get no stats in the statistics dashboard, and I am unable to get any results when I run a report.
I am pulling these logs into splunk via local file. I have the following in my snort.conf file:
config logdir: C:\Snort\log
output alert_fast: alert.fast
output alert_full: alert.full
I have set up two data inputs in "files & directories" in Splunk. One is set up for C:\Snort\log\alert.full with a sourcetype of snort_alerts_full , and the other is set up for C:\Snort\log\alert.fast with the souretype of snort_alerts_fast . Within the search App I am able to view the logs in these sourcetypes and am able to verify the logs are full and fast alert logs from Snort. The Splunk for Snort App page located here seems to suggest the app is looking for my sourcetypes and will change the sourcetype to "snort" for use within the app, but that doesn't seem to be the case.
Any suggestions? I tried searching within the app for the sourcetypes above and was able to pull in logs, but the reports were wanting to run off sourcetype snort. Maybe I'll try changing the sourcetype to snort. Thanks for any help/suggestions.
I forgot, here's the command I'm using to start snort:
c:\snort\bin\snort -i2 -d -e -v -c c:\snort\etc\snort.conf
Dan
... View more