Thanks maybe we just need to chuck the TA and just do it your way. Thanks man ... View more

But on the server, you see the events, can search the event, etc? Guess what are you doing with the data?  ... View more

Thats the input file on the suricata server? Do you have the Suricata-TA installed on the forwarder or the server or both or are you even using the Suricata-TA.  ... View more

in a search of all time on the GUI nothing came up. Checked SplunkD on the server it has Failed to Parse TImeStamp in first MAX_TIMESTAMP_LOOKHEAD ....defaulting to timestamp of previous event...context: source=var/log/suricata.eve. It also complains about too many events with the same timestamp. So do we need to add json_no_timestamp somehwere  maybe in a props file? Wouldn't the app tell it how to parse it?     ... View more

You say that you get other events from the suricata box. How are you ingesting them? Do you have  forwarder installed on the suricata box? Yes we have a Universal Forwarder on the suricata box. Currently it is set to monitor syslogs which we see in the search head web app.  2. Did you deploy the addon with the enabled input to the forwarder on the suricata box? Copied the TA to  /opt/splunkforwarder/etc/apps/Ta-suricata on the suricata box.  3.3. Did you verify the inputs on the forwarder? yes btool host= splunk-nat-sec, index= suricata, sourcetype = suricata, [monitor:///var/log/suricata/eve.json] splunk list monitor /var/log/suricata/eve.json, /var/log/syslog splunk list input status /var/log/suricata/eve.json, file position = 6824003470, file size = 143583971149, percent = 4.75, type = reading (batch) splunkd. log has Warn Tailreader [ tailreader0] - Enquueing a very large file=/var/log/suricata/eve.json ..... readinf of other large files could be delayed. Then an INFO about trimming input to first line Then an INFO about shutting down while reading file /var/log/suricata/eve.json Then INfO about Batch file input finished reading the file.  It isn't in a spot I can copy and paste. Maybe this is enough. Thanks for your help.       ... View more

Thanks for the help. Changed it and still no eve.json data on the server. ... View more

Gonna maybe revive this thread. We are using RHEL 8.6 and we have Splunk Enterprise running and configured to listen on port 9997, we added it to the firewall with firewall-cmd and still netstat -l | grep 9997 returns nothing. We have tried different variations of netstat they all return zero. Also systemctl status splunk.service doesn't show the service using port 9997. Any suggestion do we need to add 9997 to the service somehow? If so how. Have set Splunk up on other RHEL 8 servers before no problem but something about this one seems different. Also the inputs.conf shows [splunktcp:\\9997] disabled=0. Any help is appreciated. ... View more

 Gonna take some time to go through every dashboard of the apps but it does work.  Appreciate the help.  ... View more

Splunk now lists this as a known issue and offers a solution. Have not implemented it yet so can't vouch that it works.  We have the had the same issue for awhile.  https://docs.splunk.com/Documentation/Splunk/8.2.4/ReleaseNotes/KnownIssues     ... View more

Thanks for the reply and stay safe over there. Yep we have the events we want to monitor. I was referring to the Eventid.net apps lookup table called" eventid_interesting_events" I was hoping I could add what we wanted to it and maybe tweak a couple other files and make it work. Sounds like it might just be easier to make our own. ... View more