Support Questions
Find answers, ask questions, and share your expertise
Announcements
Check out our newest addition to the community, the Cloudera Innovation Accelerator group hub.

Ingest snort alert

Explorer

Hi everyone.,

I install apache flume and Snort on Server. But Kibana don't index snort*. I configured flume.conf file.

snort.channels=memory-channel
snort.channels.memory-channel.capacity=1000
snort.channels.memory-channel.transactionCapacity=100
snort.channels.memory-channel.type=memory
snort.sinks=kafka-sink logger-sink
snort.sinks.kafka-sink.brokerList=node1:6667
snort.sinks.kafka-sink.channel=memory-channel
snort.sinks.kafka-sink.topic=snort
snort.sinks.kafka-sink.type=org.apache.flume.sink.kafka.KafkaSink
snort.sinks.logger-sink.channel=memory-channel
snort.sinks.logger-sink.type=logger
snort.sources=exec-source
snort.sources.exec-source.channels=memory-channel
snort.sources.exec-source.command=tail -F /var/log/snort/alert
snort.sources.exec-source.logStdErr=true
snort.sources.exec-source.restart=true
snort.sources.exec-source.type=exec
2 REPLIES 2

Explorer

When I check storm log, it's show.

2017-04-18 17:44:03.921 o.a.s.d.executor [ERROR] java.lang.IllegalStateException: Unable to parse message: 04/18-17:44:00.620823 [**] [1:999158:0] Sample Metron Message from Snort [**] [Priority: 0]

The solution is to configure the logs with default syntax and with year, changing the SNORT configuration (/etc/snort/snort.conf), adding this two line to logging section:

config show_year
output alert_csv: /var/log/snort/alert_metron.csv default

 Then, do the same tail to the new file.