I have a central syslog server forwarding snort alerts to my Splunk system via rsyslog. These snort alerts are currently the only data being received by Splunk. The input is configured as syslog and everything is fine in the normal Splunk Search. I really want to use Snort for Splunk, but it isn't parsing anything correctly with the type "syslog."
I manually changed the type to "snort_fast_alert", at which point the IP sections began working, but then the sources of the alerts became the central syslog server rather than the original source of the alert.
The last attempt I had was to simply change the source name to "snort" and leave the sourcetype as "syslog", but still no love from Snort for Splunk. I really need information/aggregation/analysis of the snort alert message field.
I've been Googling this for a while now and cannot seem to find an answer to this seemingly common configuration issue. How can I parse snort alerts received via syslog into Snort for Splunk?
Thanks much!
... View more