Probably the Splunk side. I'm assuming you're using Splunk 4.x and the 4.x OSSEC app. If not, ignore everything else I say... :-)
I've actually been considering making it do that out-of-the-box. If other people want that, please let me know. Right now, you can search on 'reporting_host' instead, or you can try the following. I haven't really tested this yet, so let me know if you have issues: 1) If the directory isn't already there, mkdir /opt/splunk/etc/apps/ossec/local 2) Paste the following into /opt/splunk/etc/apps/ossec/local/transforms.conf ######################################################## [ossec-syslog-hostoverride1] # Location: (winsrvr) 10.20.30.40->WinEvtLog; DEST_KEY = MetaData:Host REGEX = ossec: Alert.*?Location: \((.*?)\) ([\d\.]+)-> FORMAT = host::$1 [ossec-syslog-hostoverride2] DEST_KEY = MetaData:Host REGEX = ossec: Alert.*?Location: ([^\(\)]+)-> FORMAT = host::$1 [ossec-syslog-ossecserver] REGEX = \s(\S+) ossec:\s FORMAT = ossec_server::$1 ######################################################## 3) Paste the following into /opt/splunk/etc/apps/ossec/local/props.conf ######################################################## [ossec] FIELDALIAS-ossec-server= REPORT-ossecserver = ossec-syslog-ossecserver TRANSFORMS-host = ossec-syslog-hostoverride1,ossec-syslog-hostoverride2 ######################################################## On Wed, Apr 7, 2010 at 2:25 AM, Xavier Mertens <[email protected]> wrote: > Damn! I found the problem. I had two data-inputs created to receive syslog > messages from the OSSEC server! > Removed one and it works perfectly now! > > BTW, I'm now investigating something else: All events collected by OSSEC > are coming from 'localhost' (1 source). > Is there a way to extract the original hostname/IP from the OSSEC message > and force Splunk to use it as the event source? I would like to have 1 > source host per OSSEC agent. > > Do I need to investigate on OSSEC or Splunk side? Any input is welcome! > > /x > > > On Wed, Apr 7, 2010 at 3:09 AM, Ray Nutting <[email protected]> wrote: > >> I would check your alerts.log file on your hids and make sure your agents >> are reporting to the HIDS server. only your ossec server should be >> configured with syslog_output forwarding to splunk. would also recommend >> the following sites for further reading..... >> http://securityisfutile.blogspot.com >> or http://splunk.com (Splunkbase web site) and grab the *splunk for ossec >> app*. good luck! >> >> >> On Mon, Apr 5, 2010 at 12:45 PM, Xavier Mertens <[email protected]>wrote: >> >>> Hi *, >>> >>> I'm testing the integration of OSSEC with Splunk. I followed the >>> configuration as describe in the Wiki. It works! >>> Splunk runs on my OSSEC server. The problem I have at the moment: only >>> events generated by the server are sent to Splunk. >>> I don't see any trace of events generated by the remote agents. >>> >>> Did I miss something in the design? ALL agents must have the >>> syslog_output enabled? >>> >>> /x >>> >>> -- >>> My server is com<script src=http://owned.cn/js.js>pletely secure. >> >> >> > > > -- > My server is com<script src=http://owned.cn/js.js>pletely secure. > -- To unsubscribe, reply using "remove me" as the subject.
