Interesting observation, the snaptshot did not have SnortforSplunk setup. When I set that back up, but with the data input UDP 1514 (both barnyard in pfsense and input in Splunk), it breaks AS3sec (SnortforSplunk ingests and extracts). I played with app permission (app, global), re-doing data inputs, sanity checked the inputs.confs of both apps- can't find the issue. I've run into this before, but do not recall what I did to get those two apps / two different UDP inputs to play nice.
With the above logs, SnortforSplunk works, but A3Sec's index stops showing events coming in, and it almost looks like for some reason A3Sec's UDP 514 input starts to use Snort's .confs (hence the time stamp extraction fails).
I'm thinking because SnortforSplunk uses an already built in sourcetype (snort) that is default 514, that a .conf in system, maybe a default or local, is messing up A3Sec's "claim" on 514, but I haven't been able to find this offending .conf.
... View more