I had OSSEC talking to SPLUNK for a few days. I have version 4.1 of Splunk, the 4.1 ossec plugin/application for Splunk and I double checked that the config files were correct. OSSEC v 2.4
Last Friday at 1300 Splunk just stopped reading OSSEC data !! ??? I'm running the Eval Copy of Splunk, but IDK what to do ? On Apr 14, 4:11 pm, uifjlh <joel.hueb...@gmail.com> wrote: > Paul, > > I seem to have some piece missing my self ? ... the search part of > Splunk Works, and I have OSSEC Data there, from my OSSEC clients to > the OSSEC server, (the same box as the Splunk server) ... but when I > try the OSSEC plugin... this is the error I get. > > 500 Internal Server Error > > TypeError: 'NoneType' object is unsubscriptable > > This page was linked to fromhttp://lcua141:8000/en-US/app/search/dashboard. > > Observations/pointers/suggestions welcome. > > Thank you very much > > JLH > > On Apr 11, 8:31 pm, Paul Southerington <sout...@gmail.com> wrote: > > > > > Probably the Splunk side. I'm assuming you're using Splunk 4.x and the 4.x > > OSSEC app. If not, ignore everything else I say... :-) > > > I've actually been considering making it do that out-of-the-box. If other > > people want that, please let me know. > > > Right now, you can search on 'reporting_host' instead, or you can try the > > following. I haven't really tested this yet, so let me know if you have > > issues: > > > 1) If the directory isn't already there, mkdir > > /opt/splunk/etc/apps/ossec/local > > > 2) Paste the following into > > /opt/splunk/etc/apps/ossec/local/transforms.conf > > ######################################################## > > [ossec-syslog-hostoverride1] > > # Location: (winsrvr) 10.20.30.40->WinEvtLog; > > DEST_KEY = MetaData:Host > > REGEX = ossec: Alert.*?Location: \((.*?)\) ([\d\.]+)-> > > FORMAT = host::$1 > > > [ossec-syslog-hostoverride2] > > DEST_KEY = MetaData:Host > > REGEX = ossec: Alert.*?Location: ([^\(\)]+)-> > > FORMAT = host::$1 > > > [ossec-syslog-ossecserver] > > REGEX = \s(\S+) ossec:\s > > FORMAT = ossec_server::$1 > > ######################################################## > > > 3) Paste the following into /opt/splunk/etc/apps/ossec/local/props.conf > > ######################################################## > > [ossec] > > FIELDALIAS-ossec-server= > > REPORT-ossecserver = ossec-syslog-ossecserver > > TRANSFORMS-host = ossec-syslog-hostoverride1,ossec-syslog-hostoverride2 > > ######################################################## > > > On Wed, Apr 7, 2010 at 2:25 AM, Xavier Mertens <xmert...@gmail.com> wrote: > > > Damn! I found the problem. I had two data-inputs created to receive syslog > > > messages from the OSSEC server! > > > Removed one and it works perfectly now! > > > > BTW, I'm now investigating something else: All events collected by OSSEC > > > are coming from 'localhost' (1 source). > > > Is there a way to extract the original hostname/IP from the OSSEC message > > > and force Splunk to use it as the event source? I would like to have 1 > > > source host per OSSEC agent. > > > > Do I need to investigate on OSSEC or Splunk side? Any input is welcome! > > > > /x > > > > On Wed, Apr 7, 2010 at 3:09 AM, Ray Nutting <rnuttin...@gmail.com> wrote: > > > >> I would check your alerts.log file on your hids and make sure your agents > > >> are reporting to the HIDS server. only your ossec server should be > > >> configured with syslog_output forwarding to splunk. would also recommend > > >> the following sites for further reading..... > > >>http://securityisfutile.blogspot.com > > >> orhttp://splunk.com(Splunkbaseweb site) and grab the *splunk for ossec > > >> app*. good luck! > > > >> On Mon, Apr 5, 2010 at 12:45 PM, Xavier Mertens > > >> <xmert...@gmail.com>wrote: > > > >>> Hi *, > > > >>> I'm testing the integration of OSSEC with Splunk. I followed the > > >>> configuration as describe in the Wiki. It works! > > >>> Splunk runs on my OSSEC server. The problem I have at the moment: only > > >>> events generated by the server are sent to Splunk. > > >>> I don't see any trace of events generated by the remote agents. > > > >>> Did I miss something in the design? ALL agents must have the > > >>> syslog_output enabled? > > > >>> /x > > > >>> -- > > >>> My server is com<script src=http://owned.cn/js.js>pletely secure. > > > > -- > > > My server is com<script src=http://owned.cn/js.js>pletely secure.
