I'm trying to get my snort data to splunk. I've installed the universalfowarder on the snort box,
monitoring /var/log/snort/snort.log
Here is some information from the Forwarder
etc/system/inputs.conf
[monitor:///var/log/snort/snort.log]
host = snort
sourcetype=snort_alert_full
etc/system/outputs.conf
[tcpout]
defaultGroup = 10.1.57.198_9514
disabled = false
[tcpout:10.1.57.198_9514]
server = 10.1.57.198:9514
[tcpout-server://10.1.57.198:9514]
netstat -a
tcp 0 0 snort.ntwk:59892 10.1.57.198:9514 ESTABLISHED
metrics.log
04-26-2011 11:48:05.026 -0700 INFO Metrics - group=tcpout_connections, index:10.1.57.198:9514:0, sourcePort=8089, destIp=10.1.57.198, destPort=9514, _tcp_Bps=587.97, _tcp_KBps=0.57, _tcp_avg_thruput=0.58, _tcp_Kprocessed=1461, _tcp_eps=0.70
Here is some information from the Receiver
/etc/apps/SplunkforSnort/local/inputs.conf
[splunktcp://9514]
sourcetype = snort
connection_host = dns
metrics.log
04-26-2011 11:48:33.427 -0700 INFO Metrics - group=tcpin_connections, 10.1.57.8:59891:9514,
connectionType=cooked, sourcePort=59891, sourceHost=snort.ntwk, sourceIp=10.1.57.8,
destPort=9514, _tcp_Bps=585.45, _tcp_KBps=0.57, _tcp_avg_thruput=0.56, kb=17.72, _tcp_Kprocessed=1401.00, _tcp_eps=0.74, build=98164, version=4.2.1, os=Linux, arch=i686, hostname=snort, guid=63421A46-231F-414F-A119-5D1482F5F32C, fwdType=uf, ssl=false, lastIndexer=10.1.57.198:9514, ack=false
But I'm not seeing anything in Splunk Web Search. Any help would be really appreciated. Thanks for looking.
The key is the -K parameter. In my case I used -K ascii
/usr/sbin/snort -K ascii -c /etc/snort/snort_eth2.conf -l /var/log/snort_internet -i eth2