Greetings!
I am hoping you can help me resolve a problem I'm having with my setup of Splunk for Snort. I have several Snort 2.9.0.3 sensors, that send data via Splunk Light Forwarder to a central Splunk server. That central Splunk server (4.2.3) has Splunk for Snort installed.
The Snort instances are set to log to /var/log/snort/alert_full. I have in input on the light forwarder set to read that file with input type snort_alert_full. I get data from the light forwarders, but it appears to be only the first line of an alert - I don't see, for example, src and dst IP. A raw message I get looks like this:
[**] [1:2406338:271] ET RBN Known Russian Business Network IP TCP (170) [**]
[Classification: Misc Attack] [Priority: 2]
and that's all I get. As a result, I can't do most of the useful things in Splunk for Snort. If I look at the output file from snort by hand, it has all the normal fields. If I turn off forwarding and view the events in Splunk, I get the same truncated message.
If I send the logs over via syslog, all the data shows up, but is of type "syslog" so it's not parsed by Splunk for Snort. I'm too much of a Splunk noob to know how to change that. 🙂
Any assistance on what I'm doing wrong would be greatly appreciated. Thanks!
Jason
... View more