How to install Snort for Splunk

rweales · ‎11-28-2012

I have Snort forwarding syslog to my Splunk server. I can see the Snort alerts show up in Splunk.

How do I get the "Splunk for Snort" app to show this data? I have installed the app and can pull it up, but it's empty...

According to install instructions:
"You will need to enable the appropriate inputs, either via inputs.conf, or through the Manager in the Splunk GUI."

I'm not sure how to go about doing this. I already have a port 514 UDP input(which is how Snort alerts are getting to Splunk.) I can't add another.

Thanks
Ron

Ayn · ‎12-01-2012

You'd need to rewrite the sourcetype based on something that uniquely identifies the logs as Snort logs, like that they come from a certain host, contain something unique to Snort, etc. sourcetype rewriting is totally doable but I imagine can cause some confusion if you're new to Splunk. Here's an answer that can get you going: http://splunk-base.splunk.com/answers/34251/udp514-and-source-types

Also this: http://docs.splunk.com/Documentation/Splunk/5.0/Data/Advancedsourcetypeoverrides

rweales · ‎11-30-2012

Forgive me for my newbness on this topic but I don't understand how to change the sourcetype.

It appears that I do that in the Splunk Data Preview app. How? Create a new Event Type?

Ayn · ‎11-29-2012

Then you need to resolve that. As the documentation for the app says, the sourcetype needs to be "snort_alert_fast" for the "fast" log format, and "snort_alert_full" for the full log format.

rweales · ‎11-29-2012

The sourcetype is syslog.

Ayn · ‎11-28-2012

What sourcetype do your Snort events have?

How to install Snort for Splunk

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor