Hi, I have enabled indexes and it is OK(I see ossec agents) but when I make search in splunk ,I get message "no matching events found". I have tried to login as root on my ossec agent or my ossec server by providing wrong password but it is not reported in splunk when I make search.
Regards, John ________________________________ De : Satish Patel <[email protected]> À : "[email protected]" <[email protected]> Cc : "[email protected]" <[email protected]> Envoyé le : Lun 28 février 2011, 16h 11min 01s Objet : Re: [ossec-list] uncofigured/disabled index error message Where did you getting this error? I meant in splunk search result ? I've splunk with ossec managment server running on same box and everything works fine. There is a setting in ossec apps to run script to collect agent info. --Sent from my iPhone On Feb 28, 2011, at 4:52 AM, Ruta Jn <[email protected]> wrote: Hi, > >I have splunk and ossec installed on the same server.Splunk is running as >root.I >have as well installed ossec agents.When I make search in splunk,I see only 1 >host(ossec server),I donn't receive reports from ossec clients and I get t in >splunk next error message:'"received event for unconfigured/disabled >index='_audit' with source='source::audittrail' host='host::myhostname' >sourcetype='sourcetype::audittrail'. > >Can you help me how to fix that problem and to get all my reports from ossec >agents. > >Regards, > >John > >
