Hello Brandon,
Sorry for the late response. First, you could check if the splunk process is currently reading the alerts.json file with lsof: lsof /var/ossec/logs/alerts/alerts.json If you check that the file is currently being read from Splunk process, then you could check if your Splunk Forwarder is correctly configured. Check that your parameters in the /opt/splunkforwarder/etc/system/local/outputs.conf look correct, they should point to your Splunk index or indexes in the case of you have got a cluster environment. You should have something like this, check that the IPs match with the indexes IPs and also that you’re index(es) are listening data on the specified port, 9997 by default: [tcpout] defaultGroup = default-autolb-group [tcpout:default-autolb-group] server = 172.16.2.6:9997 [tcpout-server://172.16.2.6:9997] If your problem persists, then you should check the connectivity between Splunk Forwarder and the Splunk Indexer. Check your firewall rules and also you can use tcpdump in order to monitor the packets that are being sent/received: tcpdump -i any port 9997 -AA Also, you can check the metrics.log in the Splunk logs directory, check that no error logs appear in them. I hope that helps, let me know if you still face this problem. Best regards, Manuel On Wednesday, February 27, 2019 at 4:12:51 PM UTC+1, Brandon wrote: Has anyone successfully gotten Wazuh OSSEC data to an external instance of > Splunk? Our Splunk admin is following the guide and we're having issues > getting the logs to go into it. The app is configured and it'showing the > agents in there, but the data is not passing. They had asked Splunk but > they were not much help and there was a thread asking for understanding of > instructions but no answer ( > https://answers.splunk.com/answers/681036/how-to-configure-the-wazuh-app-to-get-data-into-sp.html > ). > > Thanks in advance, > ~Brandon > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
