All Apps and Add-ons

splunk for snort - universalforwarder - resolved (file was binary).

mayler
Path Finder

I'm trying to get my snort data to splunk. I've installed the universalfowarder on the snort box,

monitoring /var/log/snort/snort.log

Here is some information from the Forwarder

etc/system/inputs.conf

[monitor:///var/log/snort/snort.log]

host = snort

sourcetype=snort_alert_full

etc/system/outputs.conf

[tcpout]

defaultGroup = 10.1.57.198_9514

disabled = false

[tcpout:10.1.57.198_9514]

server = 10.1.57.198:9514

[tcpout-server://10.1.57.198:9514]

netstat -a

tcp 0 0 snort.ntwk:59892 10.1.57.198:9514 ESTABLISHED

metrics.log

04-26-2011 11:48:05.026 -0700 INFO Metrics - group=tcpout_connections, index:10.1.57.198:9514:0, sourcePort=8089, destIp=10.1.57.198, destPort=9514, _tcp_Bps=587.97, _tcp_KBps=0.57, _tcp_avg_thruput=0.58, _tcp_Kprocessed=1461, _tcp_eps=0.70

Here is some information from the Receiver

/etc/apps/SplunkforSnort/local/inputs.conf

[splunktcp://9514]

sourcetype = snort

connection_host = dns

metrics.log

04-26-2011 11:48:33.427 -0700 INFO Metrics - group=tcpin_connections, 10.1.57.8:59891:9514,
connectionType=cooked, sourcePort=59891, sourceHost=snort.ntwk, sourceIp=10.1.57.8,
destPort=9514, _tcp_Bps=585.45, _tcp_KBps=0.57, _tcp_avg_thruput=0.56, kb=17.72, _tcp_Kprocessed=1401.00, _tcp_eps=0.74, build=98164, version=4.2.1, os=Linux, arch=i686, hostname=snort, guid=63421A46-231F-414F-A119-5D1482F5F32C, fwdType=uf, ssl=false, lastIndexer=10.1.57.198:9514, ack=false

But I'm not seeing anything in Splunk Web Search. Any help would be really appreciated. Thanks for looking.

0 Karma

tiagotavares
New Member

The key is the -K parameter. In my case I used -K ascii

/usr/sbin/snort -K ascii -c /etc/snort/snort_eth2.conf -l /var/log/snort_internet -i eth2
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...