I wonder if anyone else has seen this: Run OSSEC Manager and Splunk on same server - everything works perfectly, and in fact, when you install "Splunk for OSSEC" app (although dated, still works fine) - it reads the data perfectly and no issues with formats. In fact, you don't even have to do anything to Splunk, since the APP is already configured to monitor the /var/ossec/logs/alerts file(s) and related logs.
BUT -- if you setup Splunk on a different server than the OSSEC Manager, and use the suggested configuration for sending output to that Splunk server with a remote syslog connection on a port (example 10002) with a format of "Splunk" - then the Splunk for OSSEC app does NOT read the data correctly. You end up with weird double time/date stamps, missing fields of the original SRC and DEST and other weird errors. If you change the output format to "Syslog" instead of "Splunk" it is just as bad. And one important difference -- if you are using "report_changes" for critical files - in the first example, the "diffs" show up in Splunk just fine, but in the 2nd example - no matter what format you choose - the diffs no longer appear. Just wondering if anyone else is using Splunk and the Splunk for OSSEC app or just raw Splunk with your own apps and seeing any strange formatting errors like this? I wonder whatever happened to the original "Splunk for OSSEC" authors and why it has not been updated in a couple of years? Oh and this is OSSEC 2.7 (and 2.7.1-beta) with Splunk 5.0.x Any help would be appreciated - I tried posting in the Splunk forums, but no response there. ~J -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
