Hey guys, looking for your guidance. I am currently trying to set up Snort version 2.9.15 on a standalone VM. I followed the guide on the official Snort site to install that version of Snort with Barnyard2 and PulledPork on Ubuntu Server 16.04. This process went well and works.
My issue comes in when forwarding logs to my Splunk server. Logs do reach my server, but they are just jargon. I have a local.rules file that has an ICMP test rule inside so I can test this config, and it does work on the Snort server. Below is a snippet of the logs I get:
/var/log/snort\x00\x00\x00\x00\x00\x00\x00\x00\x00\...
(goes on and on)
Picture: https://imgur.com/a/CzOWni9
I added a props.conf file to my /opt/splunkforwarder/etc/system/local directory that is below since originally I was getting no logs toward my Splunk server until I added the following:
NO_BINARY_CHECK=true
CHARSET=AUTO
Below is my inputs.conf:
[default]
host = piggy
[monitor:///var/log/snort]
disabled=false
index=main
sourcetype=snort_alert_full
source=snort
And below is my outputs.conf:
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = 192.168.1.210:9997
[tcpout-server://192.168.1.210:9997]
I am using the Splunk For Snort App in Splunk, and I would like to normal logs in my Splunk to practice. Without props.conf Splunk blocks those jargon files from being created. I have a feeling it has something to do with Barnyard2, since its purpose is to use those u2 files and make them into something, but there are no files in /var/log/barnyard2. How can I get normal log files that I can see from the console (if I tested it that way) into Splunk itself?
Thank you!
↧