I have Snort forwarding syslog to my Splunk server. I can see the Snort alerts show up in Splunk.
How do I get the "Splunk for Snort" app to show this data? I have installed the app and can pull it up, but it's empty...
According to install instructions:
"You will need to enable the appropriate inputs, either via inputs.conf, or through the Manager in the Splunk GUI."
I'm not sure how to go about doing this. I already have a port 514 UDP input(which is how Snort alerts are getting to Splunk.) I can't add another.
Thanks
Ron
You'd need to rewrite the sourcetype based on something that uniquely identifies the logs as Snort logs, like that they come from a certain host, contain something unique to Snort, etc. sourcetype rewriting is totally doable but I imagine can cause some confusion if you're new to Splunk. Here's an answer that can get you going: http://splunk-base.splunk.com/answers/34251/udp514-and-source-types
Also this: http://docs.splunk.com/Documentation/Splunk/5.0/Data/Advancedsourcetypeoverrides
Forgive me for my newbness on this topic but I don't understand how to change the sourcetype.
It appears that I do that in the Splunk Data Preview app. How? Create a new Event Type?
Then you need to resolve that. As the documentation for the app says, the sourcetype needs to be "snort_alert_fast" for the "fast" log format, and "snort_alert_full" for the full log format.
The sourcetype is syslog.
What sourcetype do your Snort events have?