On Thu, Apr 15, 2010 at 9:28 PM, Paul Southerington <sout...@gmail.com> wrote:
> That sounds like Splunk's automatic sourcetype assignment. How do you have
> the data coming in? (syslog? Direct to a Splunk listening port? Or pointed
> directly to the OSSEC alerts file on the local machine?)
Sorry, only just seen this..
I've got rsyslog accepting syslog traffic from remote servers and
splunk/ossec is indexing and analysing that
>
> If you look in inputs.conf, or in the Manager within Splunk you should be
> able to set the sourcetype to 'ossec' there.
>
Cool, will give it a whirl :)
>
>
> On Thu, Apr 15, 2010 at 8:25 AM, Joel Merrick <joel.merr...@gmail.com>
> wrote:
>>
>> On Thu, Apr 15, 2010 at 1:22 PM, Joel Merrick <joel.merr...@gmail.com>
>> wrote:
>> > Well, it doesn't seem to be displaying anything...
>> >
>> > OSSEC log directory is being monitored, however sourcetype="ossec"
>> > produced nothing. Files have been indexed.
>> >
>> > Any ideas?
>>
>> Seems as though the string parsing is not right.
>>
>> splunk is setting the sourcetype to ossec-{level}
>>
>> A simple recode in the search query from
>>
>> sourcetype="ossec"
>>
>> to
>>
>> sourcetype="ossec*"
>>
>> Works.
>>
>>
>> >
>> > On Thu, Apr 15, 2010 at 1:05 PM, Joel Merrick <joel.merr...@gmail.com>
>> > wrote:
>> >> I have this working now,
>> >>
>> >> I had to manually add an application, then copy the contents of the
>> >> tarball... restart.. works!
>> >>
>> >> h.t.h.
>> >>
>> >> --
>> >> $ echo "kpfmAdpoofdufevq/dp/vl" | perl -pe 's/(.)/chr(ord($1)-1)/ge'
>> >>
>> >
>> >
>> >
>> > --
>> > $ echo "kpfmAdpoofdufevq/dp/vl" | perl -pe 's/(.)/chr(ord($1)-1)/ge'
>> >
>>
>>
>>
>> --
>> $ echo "kpfmAdpoofdufevq/dp/vl" | perl -pe 's/(.)/chr(ord($1)-1)/ge'
>>
>>
>> --
>> To unsubscribe, reply using "remove me" as the subject.
>
>
--
$ echo "kpfmAdpoofdufevq/dp/vl" | perl -pe 's/(.)/chr(ord($1)-1)/ge'
