All Apps and Add-ons

Forwarding snort /var/log/snort/alert, universal forwarder

weston01
Engager

Greetings Splunkbase,

I'm working on configuring my first universal forwarder - I have a Splunk implementation with multiple syslogs and files being indexed from various sources, but now that I'm looking to forward snort_alert_full logs, I'm heading into unfamiliar territory.

What I know:

- I'm seeing a heartbeat to the indexing / receiving server, but no data being sent. If I tail /var/log/snort/alert, I see full alerts being generated, but no additional network traffic on tcp port 9997 between the two servers. I do, however, consistently see the heartbeat every few seconds (I think it's a heartbeat? Maybe it's trying to synchronize, connect, etc.?).

What I don't know:

  • I created the "receiving" port 9997 on the Splunk indexer - is there anything more I need to do on the indexer?
  • Why, when I add a new user / password (Admin role is assigned) to my Splunk receiver, it isn't allowing me to authenticate remotely:

    /opt/splunkforwarder/bin/splunk add forward-server 10.0.0.81:9997 -auth forward:test123

Returns:

Login failed
Login failed
Unauthorized

In

/opt/splunkforwarder/var/log/splunk/splunkd.log

I see:

02-08-2012 12:39:55.053 -0700 ERROR UserManagerPro - Login failed for unknown user="forward"

I am currently using the "admin:changeme" combo to authenticate for the moment, just for testing purposes.

  • Are my .conf files correct?

I spent some time on splunkbase looking for common snort universal forwarder configurations.

Here are the contents of my inputs.conf and outputs.conf files:

inputs.conf

[default]
host = server.domain.local
[monitor:///var/log/snort/alert]

disabled = false

index = ids

sourcetype = snort_alert _full

outputs.conf

[tcpout]

maxQueueSize = 500KB

[tcpout]

defaultGroup = splunk

[tcpout:splunk]

disabled = false

server = 10.0.0.81:9997

compressed = false

Also, when I start the splunk forwarder, I see this:

02-08-2012 12:49:35.171 -0700 INFO  TailingProcessor - Parsing configuration stanza: monitor:///var/log/snort/alert.
02-08-2012 12:49:35.171 -0700 INFO  BatchReader - State transitioning from 2 to 0 (initOrResume).
02-08-2012 12:49:35.299 -0700 INFO  TcpOutputProc - Connected to idx=10.0.0.81:9997

Thanks for the assistance - please let me know if I can provide any additional information!

0 Karma
1 Solution

weston01
Engager

Ok, I'm here to eat crow - here's the fix.

  • I had a space in my log source:

sourcetype = snort_alert _full

Changed to:

sourcetype = snort_alert_full

  • My Snort server's time was off - Splunk will log syslog events at the time they are received, but the Splunk Forwarder maintains the time the log was generated on the source server.

View solution in original post

weston01
Engager

Ok, I'm here to eat crow - here's the fix.

  • I had a space in my log source:

sourcetype = snort_alert _full

Changed to:

sourcetype = snort_alert_full

  • My Snort server's time was off - Splunk will log syslog events at the time they are received, but the Splunk Forwarder maintains the time the log was generated on the source server.

View solution in original post

Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!