Damn! I found the problem. I had two data-inputs created to receive syslog messages from the OSSEC server! Removed one and it works perfectly now!
BTW, I'm now investigating something else: All events collected by OSSEC are coming from 'localhost' (1 source). Is there a way to extract the original hostname/IP from the OSSEC message and force Splunk to use it as the event source? I would like to have 1 source host per OSSEC agent. Do I need to investigate on OSSEC or Splunk side? Any input is welcome! /x On Wed, Apr 7, 2010 at 3:09 AM, Ray Nutting <[email protected]> wrote: > I would check your alerts.log file on your hids and make sure your agents > are reporting to the HIDS server. only your ossec server should be > configured with syslog_output forwarding to splunk. would also recommend > the following sites for further reading..... > http://securityisfutile.blogspot.com > or http://splunk.com (Splunkbase web site) and grab the *splunk for ossec > app*. good luck! > > > On Mon, Apr 5, 2010 at 12:45 PM, Xavier Mertens <[email protected]>wrote: > >> Hi *, >> >> I'm testing the integration of OSSEC with Splunk. I followed the >> configuration as describe in the Wiki. It works! >> Splunk runs on my OSSEC server. The problem I have at the moment: only >> events generated by the server are sent to Splunk. >> I don't see any trace of events generated by the remote agents. >> >> Did I miss something in the design? ALL agents must have the syslog_output >> enabled? >> >> /x >> >> -- >> My server is com<script src=http://owned.cn/js.js>pletely secure. > > > -- My server is com<script src=http://owned.cn/js.js>pletely secure.
