Did Joel's suggestion make any difference for you? If not, what version of Splunk are you running, and is it the free license or enterprise?
On Wed, Apr 14, 2010 at 5:11 PM, uifjlh <joel.hueb...@gmail.com> wrote: > Paul, > > I seem to have some piece missing my self ? ... the search part of > Splunk Works, and I have OSSEC Data there, from my OSSEC clients to > the OSSEC server, (the same box as the Splunk server) ... but when I > try the OSSEC plugin... this is the error I get. > > 500 Internal Server Error > > TypeError: 'NoneType' object is unsubscriptable > > This page was linked to from > http://lcua141:8000/en-US/app/search/dashboard. > > Observations/pointers/suggestions welcome. > > Thank you very much > > JLH > > On Apr 11, 8:31 pm, Paul Southerington <sout...@gmail.com> wrote: > > Probably the Splunk side. I'm assuming you're using Splunk 4.x and the > 4.x > > OSSEC app. If not, ignore everything else I say... :-) > > > > I've actually been considering making it do that out-of-the-box. If > other > > people want that, please let me know. > > > > Right now, you can search on 'reporting_host' instead, or you can try the > > following. I haven't really tested this yet, so let me know if you have > > issues: > > > > 1) If the directory isn't already there, mkdir > > /opt/splunk/etc/apps/ossec/local > > > > 2) Paste the following into > > /opt/splunk/etc/apps/ossec/local/transforms.conf > > ######################################################## > > [ossec-syslog-hostoverride1] > > # Location: (winsrvr) 10.20.30.40->WinEvtLog; > > DEST_KEY = MetaData:Host > > REGEX = ossec: Alert.*?Location: \((.*?)\) ([\d\.]+)-> > > FORMAT = host::$1 > > > > [ossec-syslog-hostoverride2] > > DEST_KEY = MetaData:Host > > REGEX = ossec: Alert.*?Location: ([^\(\)]+)-> > > FORMAT = host::$1 > > > > [ossec-syslog-ossecserver] > > REGEX = \s(\S+) ossec:\s > > FORMAT = ossec_server::$1 > > ######################################################## > > > > 3) Paste the following into /opt/splunk/etc/apps/ossec/local/props.conf > > ######################################################## > > [ossec] > > FIELDALIAS-ossec-server= > > REPORT-ossecserver = ossec-syslog-ossecserver > > TRANSFORMS-host = ossec-syslog-hostoverride1,ossec-syslog-hostoverride2 > > ######################################################## > > > > > > > > On Wed, Apr 7, 2010 at 2:25 AM, Xavier Mertens <xmert...@gmail.com> > wrote: > > > Damn! I found the problem. I had two data-inputs created to receive > syslog > > > messages from the OSSEC server! > > > Removed one and it works perfectly now! > > > > > BTW, I'm now investigating something else: All events collected by > OSSEC > > > are coming from 'localhost' (1 source). > > > Is there a way to extract the original hostname/IP from the OSSEC > message > > > and force Splunk to use it as the event source? I would like to have 1 > > > source host per OSSEC agent. > > > > > Do I need to investigate on OSSEC or Splunk side? Any input is welcome! > > > > > /x > > > > > On Wed, Apr 7, 2010 at 3:09 AM, Ray Nutting <rnuttin...@gmail.com> > wrote: > > > > >> I would check your alerts.log file on your hids and make sure your > agents > > >> are reporting to the HIDS server. only your ossec server should be > > >> configured with syslog_output forwarding to splunk. would also > recommend > > >> the following sites for further reading..... > > >>http://securityisfutile.blogspot.com > > >> orhttp://splunk.com(Splunkbase web site) and grab the *splunk for > ossec > > >> app*. good luck! > > > > >> On Mon, Apr 5, 2010 at 12:45 PM, Xavier Mertens <xmert...@gmail.com > >wrote: > > > > >>> Hi *, > > > > >>> I'm testing the integration of OSSEC with Splunk. I followed the > > >>> configuration as describe in the Wiki. It works! > > >>> Splunk runs on my OSSEC server. The problem I have at the moment: > only > > >>> events generated by the server are sent to Splunk. > > >>> I don't see any trace of events generated by the remote agents. > > > > >>> Did I miss something in the design? ALL agents must have the > > >>> syslog_output enabled? > > > > >>> /x > > > > >>> -- > > >>> My server is com<script src=http://owned.cn/js.js>pletely secure. > > > > > -- > > > My server is com<script src=http://owned.cn/js.js>pletely secure. > > > -- > To unsubscribe, reply using "remove me" as the subject. >
