CIM compliant TA for Suricata: IDS, DNS, WEB
You need to be outputting the log files as json and not using Unified2.
Your inputs.conf should look like:
[monitor:///var/log/suricata/eve.json]
host = $hostname$
sourcetype = suricata
index = $indexname$
VERSION 2.3.1 Shipped with indexes.conf in the tgz file causing Splunk to break.
The easy fix is to delete the indexes.conf in the default directory of the TA.
Technology add-on for collecting IDS (alert), WEB(http), DNS(dns), SSL (tls), FLOW (flow), FILES (files), STATS(stats) events from Suricata ver 3.x. This is an evolution of the Unified2 app developed by Hurricane Labs which parsed snort. This app is best used when you are logging using the eve.json format. This app is compliant with CIM 4.1.1 and above.
Technology add-on for collecting IDS (alert), WEB(http), DNS(dns), SSL (tls), FLOW (flow), events from Suricata. This app is compliant with CIM 4.1.1 and above.
This release is completely rebuilt and adds flow control parsing.
Additional functionality for files TBD
Splunk_TA_Suricata
CIM compliant TA for Suricata: IDS, DNS, WEB
You need to be outputting these logs as json and not using Unified2.
Your inputs.conf should look like:
[monitor:///var/log/suricata/eve.json]
host = $hostname$
sourcetype = suricata
index = $indexname$
README.md (END)
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.