I setup suricata.yaml to write create the EVE json file for Suricata, but I was still not receiving alerts through it on Splunk. So tonight I took a second look at the Suricata.yaml and noticed it was referencing the suricata.log file further down the document.
For the meantime I have added a 3rd monitor for Suricata /var/log/nsm/sensor/suricata.log which should now allow the alerts to be ingested by Splunk. I am currently in the process of restarting all instances of Splunk so we will see shortly.
For the meantime I have added a 3rd monitor for Suricata /var/log/nsm/sensor/suricata.log which should now allow the alerts to be ingested by Splunk. I am currently in the process of restarting all instances of Splunk so we will see shortly.
No comments:
Post a Comment