You say that you get other events from the suricata box. How are you ingesting them? Do you have forwarder installed on the suricata box?
Yes we have a Universal Forwarder on the suricata box. Currently it is set to monitor syslogs which we see in the search head web app.
2. Did you deploy the addon with the enabled input to the forwarder on the suricata box? Copied the TA to /opt/splunkforwarder/etc/apps/Ta-suricata on the suricata box.
3.3. Did you verify the inputs on the forwarder? yes
btool host= splunk-nat-sec, index= suricata, sourcetype = suricata, [monitor:///var/log/suricata/eve.json]
splunk list monitor
/var/log/suricata/eve.json, /var/log/syslog
splunk list input status
/var/log/suricata/eve.json, file position = 6824003470, file size = 143583971149, percent = 4.75, type = reading (batch)
splunkd. log has Warn Tailreader [ tailreader0] - Enquueing a very large file=/var/log/suricata/eve.json ..... readinf of other large files could be delayed.
Then an INFO about trimming input to first line
Then an INFO about shutting down while reading file
/var/log/suricata/eve.json
Then INfO about Batch file input finished reading the file.
It isn't in a spot I can copy and paste. Maybe this is enough. Thanks for your help.
... View more