All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

i can't see logs from snort

iro4459
New Member
‎10-29-2019 10:54 PM

I try to get my Snort logs in Splunk but i couldn't, i found many tutorials but they are related almost all for Centos or they are old. My indexer and forwarder are Debian. I have installed Splunk for Snort.

Here some information about my forwarder inputs.conf

[monitor:///var/log/snort]
disabled = false
index = snort
sourcetype = snort

[monitor:///var/log/snort/snort.log.*]
disabled = false
index = snort
sourcetype = snort

[monitor:///var/log/syslog]
disabled = false
sourcetype = security

Here some information about my forwarder outputs.conf

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = 192.168.145.131:9997

[tcpout-server://192.168.145.131:9997]

Both files (inputs.conf & outputs.conf) are located in /opt/splunkforwarder/etc/system/local/

It is important to mention that I can visualize logs from /var/log/syslog

But I'm not seeing anything in Splunk Search. I really appreciate your help to find a solution.

Tags (2)
0 Karma
Reply

wenthold
Communicator
‎10-30-2019 06:17 AM

There could be a number of reasons - the first thing I would check is the permissions.

Are you running Splunk as a service on the box? If so, are you running it as root or a user account? If you're running it as a service account you have to make sure the account as access to read the file. Are you ingesting other logs from this system, and if so are those being forwarded?

I would normally start looking at the splunkd.log file on the host for an idea. grep "/var/log/snort/" /opt/splunkforwarder/var/log/splunk/splunkd.log assuming Splunk is installed in /opt/splunkforwarder, adjust the path as necessary.

If you are running with non-root service account and want to verify permissions, then run this with an account that has sudo access:

sudo su - splunk -s /bin/sh -c 'tail -n 1 $(find /var/log/snort/ -maxdepth 1 -type f -iname 'snort.log.*' -mtime -1 | tail -n 1)'

This assumes that you're running Splunk using the service account "splunk", if you're using a different non-root service account then change "sudo su - splunk ..." to "sudo su - {your service account}"

I also don't think you need the stanza "[monitor:///var/log/snort]" since you have "[monitor:///var/log/snort/snort.log.*]"

good luck!

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...