I have successfully installed my universal forwarder and has a connection to Splunk. Though I am getting data (not sure if its my snort logs) in source=_internal with a host = bss (which is my host name for my splunk forwarder) but splunk for snort is not indexing the data. Any help on how to properly configure snort to index a universal forwarder would help!
I configured my forwarder inputs.conf to the following:
> [default] host = bss> [monitor:///var/log/snort/snort.log.*]> disabled = false>sourcetype = snort_alert_full>source = snort
I configured my forwarder outputs.conf to the following:
> [tcpout] defaultGroup => default-auto1b-group>> [tcpout:default-auto1b-group] server = 10.10.20.103:997>> [tcpout-server://10.10.20.103:997]
Than I have configured my Splunk's inputs.conf to the following:
>[default] host = Splunk>[splunktcp://:9997]>connection_host = bss # host_name for my forwarder> sourcetype = snort_alert_full source => tcp:9997>> disabled = 0
Splunk Web GUI:
--I have set snort's index to: snort_alert
--I have set snorts source type to: snort
And my forwarder is monitoring the correct files in snort, based of the cmd: ./splunk list monitor
> Monitored Files:> $SPLUNK_HOME/etc/splunk.version> /var/log/snort/snort.log.*> /var/log/snort/snort.log.1453951439
Not sure what I am doing wrong, let me know if you need anymore information to find out how I can configure my universal forwarder to send to the correct index so my splunk for snort app can index it?
↧