Hi Paul, It took me some times to apply your suggestion but finally it did it and it works perfectly! Thanks a LOT!
On Mon, Apr 12, 2010 at 3:31 AM, Paul Southerington <[email protected]>wrote: > Probably the Splunk side. I'm assuming you're using Splunk 4.x and the 4.x > OSSEC app. If not, ignore everything else I say... :-) > > I've actually been considering making it do that out-of-the-box. If other > people want that, please let me know. > > Right now, you can search on 'reporting_host' instead, or you can try the > following. I haven't really tested this yet, so let me know if you have > issues: > > > 1) If the directory isn't already there, mkdir > /opt/splunk/etc/apps/ossec/local > > 2) Paste the following into > /opt/splunk/etc/apps/ossec/local/transforms.conf > ######################################################## > [ossec-syslog-hostoverride1] > # Location: (winsrvr) 10.20.30.40->WinEvtLog; > DEST_KEY = MetaData:Host > REGEX = ossec: Alert.*?Location: \((.*?)\) ([\d\.]+)-> > FORMAT = host::$1 > > [ossec-syslog-hostoverride2] > DEST_KEY = MetaData:Host > REGEX = ossec: Alert.*?Location: ([^\(\)]+)-> > FORMAT = host::$1 > > [ossec-syslog-ossecserver] > REGEX = \s(\S+) ossec:\s > FORMAT = ossec_server::$1 > ######################################################## > > 3) Paste the following into /opt/splunk/etc/apps/ossec/local/props.conf > ######################################################## > [ossec] > FIELDALIAS-ossec-server= > REPORT-ossecserver = ossec-syslog-ossecserver > TRANSFORMS-host = ossec-syslog-hostoverride1,ossec-syslog-hostoverride2 > ######################################################## > > > > > > > > On Wed, Apr 7, 2010 at 2:25 AM, Xavier Mertens <[email protected]> wrote: > >> Damn! I found the problem. I had two data-inputs created to receive syslog >> messages from the OSSEC server! >> Removed one and it works perfectly now! >> >> BTW, I'm now investigating something else: All events collected by OSSEC >> are coming from 'localhost' (1 source). >> Is there a way to extract the original hostname/IP from the OSSEC message >> and force Splunk to use it as the event source? I would like to have 1 >> source host per OSSEC agent. >> >> Do I need to investigate on OSSEC or Splunk side? Any input is welcome! >> >> /x >> >> >> On Wed, Apr 7, 2010 at 3:09 AM, Ray Nutting <[email protected]> wrote: >> >>> I would check your alerts.log file on your hids and make sure your agents >>> are reporting to the HIDS server. only your ossec server should be >>> configured with syslog_output forwarding to splunk. would also recommend >>> the following sites for further reading..... >>> http://securityisfutile.blogspot.com >>> or http://splunk.com (Splunkbase web site) and grab the *splunk for >>> ossec app*. good luck! >>> >>> >>> On Mon, Apr 5, 2010 at 12:45 PM, Xavier Mertens <[email protected]>wrote: >>> >>>> Hi *, >>>> >>>> I'm testing the integration of OSSEC with Splunk. I followed the >>>> configuration as describe in the Wiki. It works! >>>> Splunk runs on my OSSEC server. The problem I have at the moment: only >>>> events generated by the server are sent to Splunk. >>>> I don't see any trace of events generated by the remote agents. >>>> >>>> Did I miss something in the design? ALL agents must have the >>>> syslog_output enabled? >>>> >>>> /x >>>> >>>> -- >>>> My server is com<script src=http://owned.cn/js.js>pletely secure. >>> >>> >>> >> >> >> -- >> My server is com<script src=http://owned.cn/js.js>pletely secure. >> > > -- My server is com<script src=http://owned.cn/js.js>pletely secure. -- Subscription settings: http://groups.google.com/group/ossec-list/subscribe?hl=en
