On Thu, Apr 15, 2010 at 9:28 PM, Paul Southerington <sout...@gmail.com> wrote: > That sounds like Splunk's automatic sourcetype assignment. How do you have > the data coming in? (syslog? Direct to a Splunk listening port? Or pointed > directly to the OSSEC alerts file on the local machine?)
Sorry, only just seen this.. I've got rsyslog accepting syslog traffic from remote servers and splunk/ossec is indexing and analysing that > > If you look in inputs.conf, or in the Manager within Splunk you should be > able to set the sourcetype to 'ossec' there. > Cool, will give it a whirl :) > > > On Thu, Apr 15, 2010 at 8:25 AM, Joel Merrick <joel.merr...@gmail.com> > wrote: >> >> On Thu, Apr 15, 2010 at 1:22 PM, Joel Merrick <joel.merr...@gmail.com> >> wrote: >> > Well, it doesn't seem to be displaying anything... >> > >> > OSSEC log directory is being monitored, however sourcetype="ossec" >> > produced nothing. Files have been indexed. >> > >> > Any ideas? >> >> Seems as though the string parsing is not right. >> >> splunk is setting the sourcetype to ossec-{level} >> >> A simple recode in the search query from >> >> sourcetype="ossec" >> >> to >> >> sourcetype="ossec*" >> >> Works. >> >> >> > >> > On Thu, Apr 15, 2010 at 1:05 PM, Joel Merrick <joel.merr...@gmail.com> >> > wrote: >> >> I have this working now, >> >> >> >> I had to manually add an application, then copy the contents of the >> >> tarball... restart.. works! >> >> >> >> h.t.h. >> >> >> >> -- >> >> $ echo "kpfmAdpoofdufevq/dp/vl" | perl -pe 's/(.)/chr(ord($1)-1)/ge' >> >> >> > >> > >> > >> > -- >> > $ echo "kpfmAdpoofdufevq/dp/vl" | perl -pe 's/(.)/chr(ord($1)-1)/ge' >> > >> >> >> >> -- >> $ echo "kpfmAdpoofdufevq/dp/vl" | perl -pe 's/(.)/chr(ord($1)-1)/ge' >> >> >> -- >> To unsubscribe, reply using "remove me" as the subject. > > -- $ echo "kpfmAdpoofdufevq/dp/vl" | perl -pe 's/(.)/chr(ord($1)-1)/ge'