I'm working on configuring my first universal forwarder - I have a Splunk implementation with multiple syslogs and files being indexed from various sources, but now that I'm looking to forward snort_alert_full logs, I'm heading into unfamiliar territory.
What I know:
- I'm seeing a heartbeat to the indexing / receiving server, but no data being sent. If I tail /var/log/snort/alert, I see full alerts being generated, but no additional network traffic on tcp port 9997 between the two servers. I do, however, consistently see the heartbeat every few seconds (I think it's a heartbeat? Maybe it's trying to synchronize, connect, etc.?).
What I don't know:
I created the "receiving" port 9997 on the Splunk indexer - is there anything more I need to do on the indexer?
Why, when I add a new user / password (Admin role is assigned) to my Splunk receiver, it isn't allowing me to authenticate remotely:
Also, when I start the splunk forwarder, I see this:
02-08-2012 12:49:35.171 -0700 INFO TailingProcessor - Parsing configuration stanza: monitor:///var/log/snort/alert.
02-08-2012 12:49:35.171 -0700 INFO BatchReader - State transitioning from 2 to 0 (initOrResume).
02-08-2012 12:49:35.299 -0700 INFO TcpOutputProc - Connected to idx=10.0.0.81:9997
Thanks for the assistance - please let me know if I can provide any additional information!