Snort log sending to Splunk
-
Hello !
I've just installed splunk on a debian host in my LAN and I just can't find how to, on my pfSense tell snort to send logs, alerts and all the usefull data to the splunk server.
This debian server is already a nagios and syslog server.
Any help ?
(Sorry for my bad english, i'm french)
-
Okay , found it !
If it can help someone :
The snort logs are included in the firewall logs so if you redirect your logs to a syslog server in >Status>System Logs>settings>remote server splunk will catch them.
But you have to allow incoming logs from udp port 514 in splunkNow the question is .. how to correctly parse snort logs in splunk because the log format seems to have changed recently and I can't find any support on the net
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.