Re: Ingest snort alert

adroot16 · ‎04-18-2017

Hi everyone.,

I install apache flume and Snort on Server. But Kibana don't index snort*. I configured flume.conf file.

snort.channels=memory-channel
snort.channels.memory-channel.capacity=1000
snort.channels.memory-channel.transactionCapacity=100
snort.channels.memory-channel.type=memory
snort.sinks=kafka-sink logger-sink
snort.sinks.kafka-sink.brokerList=node1:6667
snort.sinks.kafka-sink.channel=memory-channel
snort.sinks.kafka-sink.topic=snort
snort.sinks.kafka-sink.type=org.apache.flume.sink.kafka.KafkaSink
snort.sinks.logger-sink.channel=memory-channel
snort.sinks.logger-sink.type=logger
snort.sources=exec-source
snort.sources.exec-source.channels=memory-channel
snort.sources.exec-source.command=tail -F /var/log/snort/alert
snort.sources.exec-source.logStdErr=true
snort.sources.exec-source.restart=true
snort.sources.exec-source.type=exec

adroot16 · ‎04-18-2017

When I check storm log, it's show.

2017-04-18 17:44:03.921 o.a.s.d.executor [ERROR] java.lang.IllegalStateException: Unable to parse message: 04/18-17:44:00.620823 [**] [1:999158:0] Sample Metron Message from Snort [**] [Priority: 0]

alexis_eurec_23 · ‎06-08-2020

The solution is to configure the logs with default syntax and with year, changing the SNORT configuration (/etc/snort/snort.conf), adding this two line to logging section:

config show_year
output alert_csv: /var/log/snort/alert_metron.csv default

Then, do the same tail to the new file.