Openwrt-Snort Log send Splunk

sesachelp · February 21, 2024, 8:12am

I have installed Snort version 3.1.78.0 on OpenWrt and confirmed that the currently applied rules are being saved in the alert_json.txt file under /mnt/usb/log. I am attempting to transmit this log file to a Splunk server, but it appears the transmission is not successful.

I modified the /etc/snort/snort.lua file under section 7. configure outputs as follows:

alert_syslog = {
type = "udp",
output = "alert_json.txt",
host = "40.0.0.10",
port = 514,
}
Additionally, I have configured the Splunk server to receive data in syslog format via UDP port 514. (I've also tried setting it up to receive data in JSON format, but that hasn't worked either.)

It seemed like a firewall zone issue at first, but currently, the Splunk server is receiving system logs from the OpenWrt system on port 514 without any problem.

Is there any other configuration I need to do besides these two settings? Or is there another method I could try?

efahl · February 21, 2024, 7:02pm

I'm curious where you found those config settings, I don't see them in my install (also 3.1.78.0) and I'm pretty sure that the alert_syslog is just for logging to the system log, not for remote logging.

$ snort --help-config alert_syslog
enum alert_syslog.facility = 'auth': part of priority applied to each message { 'auth' | 'authpriv' | 'daemon' | 'user' | 'local0' | 'local1' | 'local2' | 'local3' | 'local4' | 'local5' | 'local6' | 'local7' }
enum alert_syslog.level = 'info': part of priority applied to each message { 'emerg' | 'alert' | 'crit' | 'err' | 'warning' | 'notice' | 'info' | 'debug' }
multi alert_syslog.options: used to open the syslog connection { cons | ndelay | perror | pid }

If you are using the auto-configuration in your installation, then the modifications you make in /etc/snort/snort.lua are being overwritten by the contents of the generated configuration /tmp/snort.d/snort_conf.lua. To include your customizations, use the snort.include by creating a new file and point that setting to it.

You can try it out with this, then once snort has been restarted, look at the generated config down at the bottom.

echo '
alert_syslog = {
  type = "udp",
  output = "alert_json.txt",
  host = "40.0.0.10",
  port = 514,
}
' >> /etc/snort/include.snort

uci set snort.snort.include='/etc/snort/include.snort'
uci commit

/etc/init.d/snort restart

tail -20 /tmp/snort.d/snort_conf.lua