Could someone provide some setup guides for getting snort logs sent over to splunk?
I have installed the splunk forwarder and set it up to send the snort logs located in /var/log/snort/ but splunk did not see it. I just sent over /var/log/ and splunk saw this just fine. Now does the snort logs need to be in a certain format? I am not able to read it with vim on my centos machine either.
I have messed with these files so many ways but nothing worked:
/opt/splunkforwarder/etc/apps/search/local/local.conf
/opt/splunkforwarder/etc/system/local/local.conf
/opt/splunkforwarder/etc/system/local/output.conf
I have also installed Splunk for Snort
and un tar'd it to /opt/splunkforwarder/etc/apps/ directory, but I dont know how to configure this.
So far this is how my .conf files are configured:
/opt/splunkforwarder/etc/apps/search/local/local.conf
[splunktcp://9997]
connection_host = ip
[monitor:///var/log/snort/]
disabled = false
index = main
sourcetype = snort_alert_full
source = snort
/opt/splunkforwarder/etc/system/local/local.conf
[default]
host = snorthostname
[monitor:///var/log/snort/]
disabled = false
index = main
sourcetype = snort_alert_full
source = snort
/opt/splunkforwarder/etc/system/local/output.conf
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = 10.10.90.17:9997
[tcpout-server://10.10.90.17:9997]
Is there something special I need to do on snort?
Verisions:
Snort: 2.9.9.0
CentOS 7
Splunk 6.5.2
... View more