That sounds like Splunk's automatic sourcetype assignment. How do you have the data coming in? (syslog? Direct to a Splunk listening port? Or pointed directly to the OSSEC alerts file on the local machine?)
If you look in inputs.conf, or in the Manager within Splunk you should be able to set the sourcetype to 'ossec' there. On Thu, Apr 15, 2010 at 8:25 AM, Joel Merrick <[email protected]>wrote: > On Thu, Apr 15, 2010 at 1:22 PM, Joel Merrick <[email protected]> > wrote: > > Well, it doesn't seem to be displaying anything... > > > > OSSEC log directory is being monitored, however sourcetype="ossec" > > produced nothing. Files have been indexed. > > > > Any ideas? > > Seems as though the string parsing is not right. > > splunk is setting the sourcetype to ossec-{level} > > A simple recode in the search query from > > sourcetype="ossec" > > to > > sourcetype="ossec*" > > Works. > > > > > > On Thu, Apr 15, 2010 at 1:05 PM, Joel Merrick <[email protected]> > wrote: > >> I have this working now, > >> > >> I had to manually add an application, then copy the contents of the > >> tarball... restart.. works! > >> > >> h.t.h. > >> > >> -- > >> $ echo "kpfmAdpoofdufevq/dp/vl" | perl -pe 's/(.)/chr(ord($1)-1)/ge' > >> > > > > > > > > -- > > $ echo "kpfmAdpoofdufevq/dp/vl" | perl -pe 's/(.)/chr(ord($1)-1)/ge' > > > > > > -- > $ echo "kpfmAdpoofdufevq/dp/vl" | perl -pe 's/(.)/chr(ord($1)-1)/ge' > > > -- > To unsubscribe, reply using "remove me" as the subject. >
