Hi, I am deploying "reporting and management for ossec” in a multisite distributed splunk cluster. I am using a separate index for ossec and have named the index as ‘ossec_ops’. The problem symptoms are:
On the indexers, no dashboards are being displayed. The Agent-management tab is working fine though. On searchheads, under dashboards tab, OSSEC dashboard and OSSEC dashboard (SUMMARIZED) are being populated. But the OSSEC agent Status and OSSEC agent coverage are empty. What am I doing wrong…….any help is deeply appreciated, thanks!! Below are my config files on splunk, ------------------------------------- inputs.conf on splunk servers with path: /opt/splunk/etc/slave-apps/ossec/local [monitor::///var/log/syslog/ossec] disabled = 0 sourcetype = ossec index = ossec_ops [monitor::///var/log/syslog/ossec] disabled = 0 sourcetype = ossec_splunk index = ossec_ops eventtypes.conf on splunk severs with path: /opt/splunk/etc/slave-apps/ossec/local: [ossec] search = index=ossec_ops (sourcetype=ossec* NOT sourcetype=ossec_agent_control) inputs.conf on ossec server with path: /opt/splunkforwarder/etc/system/local/ [monitor:///var/ossec/logs/alerts/alerts*] disabled = 0 index = ossec_ops sourcetype = ossec_alerts [monitor:///var/ossec/logs/ossec.log] disabled = 0 index = ossec_ops sourcetype = ossec_log [monitor:///var/ossec/logs/active-responses.log] disabled = 0 index = ossec_ops sourcetype = ossec_ar ---------------------- Thanks!! Anita -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
