Solved: SPLUNK for SNORT not working

thunbolt22 · ‎07-05-2013

I am trying to get SPLUNK for SNORT up and running with no luck. I am new to SNORT,SPLUNK, and linux in gerneral. But here is what i have.
CentOS running SNORT and producing an ALERT and log file
Windows PC running SPLUNK

I setup the universal forwarder and all my SNORT alerts appear in SPLUNK as sourcetype snort_alert_full using the following command:
/opt/splunkforwarder/bin/splunk add monitor /etc/log/snort/ -index main -sourcetype snort_alert_full

When viewing in Splunk for snort i have no results. my understanding is that when the data is processed it should be renames from snort_alert_full to snort, i dont see this happeneing. And cannot search for src_ip as it is not being indexed properly.

Is there something i have to do to get Splunk for snort to process the data and index it properly?

thunbolt22 · ‎07-08-2013

I ended up reinstalling Splunk for Snort and everything worked.

View solution in original post

praveen_recker · ‎10-05-2013

http://www.disects.com/whitepapers/Logging_Snort_alerts_to_Syslog_and_Splunk.pdf

thunbolt22 · ‎07-08-2013

I ended up reinstalling Splunk for Snort and everything worked.

starcher · ‎07-06-2013

Try changing snort to alert fast. Then same for the file monitor for the splunk forwarder

SPLUNK for SNORT not working

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms