On Apr 11, 7:31 pm, Paul Southerington <sout...@gmail.com> wrote: ><snip> > I've actually been considering making it do that out-of-the-box. If other > people want that, please let me know. > > Right now, you can search on 'reporting_host' instead, or you can try the > following. I haven't really tested this yet, so let me know if you have > issues: ><snip>
To Paul, first, I wanted to thank you for your work! I specifically wanted to provide feedback that yes, I would personally love to see this configured out of the box - or even better yet, a feature that can simply be "switched on". While your out-of-box configuration is arguably more "to spec", in practice within my own environment, I find this way to be more useful. I am running OSSEC and Splunk on the same machine, so I followed your instructions with the plug-in to do direct parsing of the log files, along with your instructions below, and everything is working perfectly. I did modify the transform names from *syslog* to *locallog* for my own tracking, but other than that, your instructions worked perfectly. Again, thank you very much for your work on this project! -Jim