[Snort-users] snort -> barnyard2 -> splunk

VM PC packetstack at ...11827...
Wed Aug 27 16:47:51 EDT 2014


Yes it can. Use the following in barnyard2.conf

output alert_syslog_full: sensor_name ips01-eth0:eth1, server 192.168.1.1,
protocol udp, port 514

P.S.
I am now using rsyslog, but cant remember why.
output log_syslog_full: sensor_name ips01-eth0:eth1, local, log_priority
LOG_INFO,log_facility LOG_LOCAL1

/etc/rsyslog.d/50-default.conf
#Alert Full
local1.info                     /var/log/snort/snort_full
local1.info                     @192.168.1.1



On Wed, Aug 27, 2014 at 4:15 PM, Robert Millott <
robm at ...16885...> wrote:

> Anyone have some good suggestions on getting Snort into Splunk?  I've seen
> some directions for snort -> barnyard2 -> syslog -> syslog-ng -> splunk,
> but I don't see the need for syslog. I've also seen snort -> splunk via
> alert_fast, but I already have barnyard2, and from what I hear, using
> barnyard2 will help optimize snort by relieveing some of the processing it
> must do.
>
> Can barnyard2 send directly to splunk in a format splunk will understand
> is originally snort data?
>
> --
> Robert Millott
> President, Millott and Associates
> (443) 255-3588
>
>
> ------------------------------------------------------------------------------
> Slashdot TV.
> Video for Nerds.  Stuff that matters.
> http://tv.slashdot.org/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140827/9265d305/attachment.html>


More information about the Snort-users mailing list