Snort syslog

  • Hello all, I have 3 snort interfaces, WAN, LAN and DMZ, all with barnyard2 running and my Splunk indexer IP inputted.  The WAN and LAN logs have been coming in, but not the DMZs- I have since triple checked the settings, Splunk IP, drop down settings etc to mirror the working setups of WAN and LAN.  Even though I did not see action=blocked logs (in case a firewall rule itself was somehow the culprit) I still made a firewall rule to let DMZ talk to LAN (where the splunk server is) just in case- still no input.  I'm not strong on pfsense or networking in general so I'm sure I'm derping something up, such as a gateway setting or some kind of routing- but with the allow all rule for DMZ to LAN, a machine on my DMZ is able to ping LAN hosts.  Regardless I imagine the Splunk DMZ interface alert logs should not have routing relevance in regards to the DMZ range.  Are there some settings snippets I should post up?

Log in to reply