Re: [ossec-list] Re: OSSEC & Splunk integration
On Thu, Apr 15, 2010 at 9:28 PM, Paul Southerington wrote: > That sounds like Splunk's automatic sourcetype assignment. How do you have > the data coming in? (syslog? Direct to a Splunk listening port? Or pointed > directly to the OSSEC alerts file on the local machine?) Sorry, only just seen this.. I've got rsyslog accepting syslog traffic from remote servers and splunk/ossec is indexing and analysing that > > If you look in inputs.conf, or in the Manager within Splunk you should be > able to set the sourcetype to 'ossec' there. > Cool, will give it a whirl :) > > > On Thu, Apr 15, 2010 at 8:25 AM, Joel Merrick > wrote: >> >> On Thu, Apr 15, 2010 at 1:22 PM, Joel Merrick >> wrote: >> > Well, it doesn't seem to be displaying anything... >> > >> > OSSEC log directory is being monitored, however sourcetype="ossec" >> > produced nothing. Files have been indexed. >> > >> > Any ideas? >> >> Seems as though the string parsing is not right. >> >> splunk is setting the sourcetype to ossec-{level} >> >> A simple recode in the search query from >> >> sourcetype="ossec" >> >> to >> >> sourcetype="ossec*" >> >> Works. >> >> >> > >> > On Thu, Apr 15, 2010 at 1:05 PM, Joel Merrick >> > wrote: >> >> I have this working now, >> >> >> >> I had to manually add an application, then copy the contents of the >> >> tarball... restart.. works! >> >> >> >> h.t.h. >> >> >> >> -- >> >> $ echo "kpfmAdpoofdufevq/dp/vl" | perl -pe 's/(.)/chr(ord($1)-1)/ge' >> >> >> > >> > >> > >> > -- >> > $ echo "kpfmAdpoofdufevq/dp/vl" | perl -pe 's/(.)/chr(ord($1)-1)/ge' >> > >> >> >> >> -- >> $ echo "kpfmAdpoofdufevq/dp/vl" | perl -pe 's/(.)/chr(ord($1)-1)/ge' >> >> >> -- >> To unsubscribe, reply using "remove me" as the subject. > > -- $ echo "kpfmAdpoofdufevq/dp/vl" | perl -pe 's/(.)/chr(ord($1)-1)/ge'
Re: [ossec-list] Re: OSSEC & Splunk integration
That sounds like Splunk's automatic sourcetype assignment. How do you have the data coming in? (syslog? Direct to a Splunk listening port? Or pointed directly to the OSSEC alerts file on the local machine?) If you look in inputs.conf, or in the Manager within Splunk you should be able to set the sourcetype to 'ossec' there. On Thu, Apr 15, 2010 at 8:25 AM, Joel Merrick wrote: > On Thu, Apr 15, 2010 at 1:22 PM, Joel Merrick > wrote: > > Well, it doesn't seem to be displaying anything... > > > > OSSEC log directory is being monitored, however sourcetype="ossec" > > produced nothing. Files have been indexed. > > > > Any ideas? > > Seems as though the string parsing is not right. > > splunk is setting the sourcetype to ossec-{level} > > A simple recode in the search query from > > sourcetype="ossec" > > to > > sourcetype="ossec*" > > Works. > > > > > > On Thu, Apr 15, 2010 at 1:05 PM, Joel Merrick > wrote: > >> I have this working now, > >> > >> I had to manually add an application, then copy the contents of the > >> tarball... restart.. works! > >> > >> h.t.h. > >> > >> -- > >> $ echo "kpfmAdpoofdufevq/dp/vl" | perl -pe 's/(.)/chr(ord($1)-1)/ge' > >> > > > > > > > > -- > > $ echo "kpfmAdpoofdufevq/dp/vl" | perl -pe 's/(.)/chr(ord($1)-1)/ge' > > > > > > -- > $ echo "kpfmAdpoofdufevq/dp/vl" | perl -pe 's/(.)/chr(ord($1)-1)/ge' > > > -- > To unsubscribe, reply using "remove me" as the subject. >
Re: [ossec-list] Re: OSSEC & Splunk integration
Did Joel's suggestion make any difference for you? If not, what version of Splunk are you running, and is it the free license or enterprise? On Wed, Apr 14, 2010 at 5:11 PM, uifjlh wrote: > Paul, > > I seem to have some piece missing my self ? ... the search part of > Splunk Works, and I have OSSEC Data there, from my OSSEC clients to > the OSSEC server, (the same box as the Splunk server) ... but when I > try the OSSEC plugin... this is the error I get. > > 500 Internal Server Error > > TypeError: 'NoneType' object is unsubscriptable > > This page was linked to from > http://lcua141:8000/en-US/app/search/dashboard. > > Observations/pointers/suggestions welcome. > > Thank you very much > > JLH > > On Apr 11, 8:31 pm, Paul Southerington wrote: > > Probably the Splunk side. I'm assuming you're using Splunk 4.x and the > 4.x > > OSSEC app. If not, ignore everything else I say... :-) > > > > I've actually been considering making it do that out-of-the-box. If > other > > people want that, please let me know. > > > > Right now, you can search on 'reporting_host' instead, or you can try the > > following. I haven't really tested this yet, so let me know if you have > > issues: > > > > 1) If the directory isn't already there, mkdir > > /opt/splunk/etc/apps/ossec/local > > > > 2) Paste the following into > > /opt/splunk/etc/apps/ossec/local/transforms.conf > > > > [ossec-syslog-hostoverride1] > > # Location: (winsrvr) 10.20.30.40->WinEvtLog; > > DEST_KEY = MetaData:Host > > REGEX = ossec: Alert.*?Location: \((.*?)\) ([\d\.]+)-> > > FORMAT = host::$1 > > > > [ossec-syslog-hostoverride2] > > DEST_KEY = MetaData:Host > > REGEX = ossec: Alert.*?Location: ([^\(\)]+)-> > > FORMAT = host::$1 > > > > [ossec-syslog-ossecserver] > > REGEX = \s(\S+) ossec:\s > > FORMAT = ossec_server::$1 > > > > > > 3) Paste the following into /opt/splunk/etc/apps/ossec/local/props.conf > > > > [ossec] > > FIELDALIAS-ossec-server= > > REPORT-ossecserver = ossec-syslog-ossecserver > > TRANSFORMS-host = ossec-syslog-hostoverride1,ossec-syslog-hostoverride2 > > > > > > > > > > On Wed, Apr 7, 2010 at 2:25 AM, Xavier Mertens > wrote: > > > Damn! I found the problem. I had two data-inputs created to receive > syslog > > > messages from the OSSEC server! > > > Removed one and it works perfectly now! > > > > > BTW, I'm now investigating something else: All events collected by > OSSEC > > > are coming from 'localhost' (1 source). > > > Is there a way to extract the original hostname/IP from the OSSEC > message > > > and force Splunk to use it as the event source? I would like to have 1 > > > source host per OSSEC agent. > > > > > Do I need to investigate on OSSEC or Splunk side? Any input is welcome! > > > > > /x > > > > > On Wed, Apr 7, 2010 at 3:09 AM, Ray Nutting > wrote: > > > > >> I would check your alerts.log file on your hids and make sure your > agents > > >> are reporting to the HIDS server. only your ossec server should be > > >> configured with syslog_output forwarding to splunk. would also > recommend > > >> the following sites for further reading. > > >>http://securityisfutile.blogspot.com > > >> orhttp://splunk.com(Splunkbase web site) and grab the *splunk for > ossec > > >> app*. good luck! > > > > >> On Mon, Apr 5, 2010 at 12:45 PM, Xavier Mertens >wrote: > > > > >>> Hi *, > > > > >>> I'm testing the integration of OSSEC with Splunk. I followed the > > >>> configuration as describe in the Wiki. It works! > > >>> Splunk runs on my OSSEC server. The problem I have at the moment: > only > > >>> events generated by the server are sent to Splunk. > > >>> I don't see any trace of events generated by the remote agents. > > > > >>> Did I miss something in the design? ALL agents must have the > > >>> syslog_output enabled? > > > > >>> /x > > > > >>> -- > > >>> My server is com
Re: [ossec-list] Re: OSSEC & Splunk integration
On Thu, Apr 15, 2010 at 1:22 PM, Joel Merrick wrote: > Well, it doesn't seem to be displaying anything... > > OSSEC log directory is being monitored, however sourcetype="ossec" > produced nothing. Files have been indexed. > > Any ideas? Seems as though the string parsing is not right. splunk is setting the sourcetype to ossec-{level} A simple recode in the search query from sourcetype="ossec" to sourcetype="ossec*" Works. > > On Thu, Apr 15, 2010 at 1:05 PM, Joel Merrick wrote: >> I have this working now, >> >> I had to manually add an application, then copy the contents of the >> tarball... restart.. works! >> >> h.t.h. >> >> -- >> $ echo "kpfmAdpoofdufevq/dp/vl" | perl -pe 's/(.)/chr(ord($1)-1)/ge' >> > > > > -- > $ echo "kpfmAdpoofdufevq/dp/vl" | perl -pe 's/(.)/chr(ord($1)-1)/ge' > -- $ echo "kpfmAdpoofdufevq/dp/vl" | perl -pe 's/(.)/chr(ord($1)-1)/ge' -- To unsubscribe, reply using "remove me" as the subject.
Re: [ossec-list] Re: OSSEC & Splunk integration
I have this working now, I had to manually add an application, then copy the contents of the tarball... restart.. works! h.t.h. -- $ echo "kpfmAdpoofdufevq/dp/vl" | perl -pe 's/(.)/chr(ord($1)-1)/ge' -- To unsubscribe, reply using "remove me" as the subject.
Re: [ossec-list] Re: OSSEC & Splunk integration
Well, it doesn't seem to be displaying anything... OSSEC log directory is being monitored, however sourcetype="ossec" produced nothing. Files have been indexed. Any ideas? On Thu, Apr 15, 2010 at 1:05 PM, Joel Merrick wrote: > I have this working now, > > I had to manually add an application, then copy the contents of the > tarball... restart.. works! > > h.t.h. > > -- > $ echo "kpfmAdpoofdufevq/dp/vl" | perl -pe 's/(.)/chr(ord($1)-1)/ge' > -- $ echo "kpfmAdpoofdufevq/dp/vl" | perl -pe 's/(.)/chr(ord($1)-1)/ge' -- To unsubscribe, reply using "remove me" as the subject.
Re: [ossec-list] Re: OSSEC & Splunk integration
On Thu, Apr 15, 2010 at 12:09 PM, Joel Merrick wrote: > On Wed, Apr 14, 2010 at 10:11 PM, uifjlh wrote: >> Paul, >> >> I seem to have some piece missing my self ? ... the search part of >> Splunk Works, and I have OSSEC Data there, from my OSSEC clients to >> the OSSEC server, (the same box as the Splunk server) ... but when I >> try the OSSEC plugin... this is the error I get. >> >> 500 Internal Server Error >> >> TypeError: 'NoneType' object is unsubscriptable > > I'm having the same issue. > > The application was uploaded via a tarball, not via the HTTP interface > (firewall restrictions). Followed readme. > > Also I'm using an SSH tunnel to connect to port 8000... although > everything else works fine, can't imagine this is the issue. > > I've also tried the .conf files mentioned in the earlier thread. > > Any ideas? > Traceback from log.. 2010-04-15 11:13:31,610 WARNING [4bc6f4dada8cdefac] view:170 - "ossec" app does not have a navigation configuration file defined. 2010-04-15 11:13:31,612 ERROR [4bc6f4dada8cdefac] view:183 - 'NoneType' object is unsubscriptable Traceback (most recent call last): File "/opt/splunk/lib/python2.6/site-packages/splunk/appserver/mrsparkle/controllers/view.py", line 178, in getAppNav navDefinition = et.XML(navDefinition['eai:data'], parser) TypeError: 'NoneType' object is unsubscriptable 2010-04-15 11:13:31,614 INFO[4bc6f4dada8cdefac] _cplogging:55 - [15/Apr/2010:11:13:31] HTTP Request Headers: REFERER: http://127.0.0.1:8000/en-US/app/launcher/home HOST: 127.0.0.1:8000 ACCEPT: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 ACCEPT-CHARSET: ISO-8859-1,utf-8;q=0.7,*;q=0.3 USER-AGENT: Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/533.3 (KHTML, like Gecko) Chrome/5.0.365.0 Safari/533.3 CONNECTION: keep-alive COOKIE: session_id_8000=5fb669c5532f94c5559209e1cd2541340d1f9334 Remote-Addr: 127.0.0.1 ACCEPT-LANGUAGE: en-US,en;q=0.8 ACCEPT-ENCODING: gzip,deflate,sdch 2010-04-15 11:13:31,619 DEBUG [4bc6f4dada8cdefac] _cplogging:55 - [15/Apr/2010:11:13:31] HTTP Traceback (most recent call last): File "/opt/splunk/lib/python2.6/site-packages/cherrypy/_cprequest.py", line 606, in respond cherrypy.response.body = self.handler() File "/opt/splunk/lib/python2.6/site-packages/cherrypy/_cpdispatch.py", line 25, in __call__ return self.callable(*self.args, **self.kwargs) File "/opt/splunk/lib/python2.6/site-packages/splunk/appserver/mrsparkle/lib/routes.py", line 307, in default return route.target(self, **kw) File "", line 1, in File "/opt/splunk/lib/python2.6/site-packages/splunk/appserver/mrsparkle/lib/decorators.py", line 38, in rundecs return fn(*a, **kw) File "", line 1, in File "/opt/splunk/lib/python2.6/site-packages/splunk/appserver/mrsparkle/lib/decorators.py", line 93, in check return fn(self, *a, **kw) File "", line 1, in File "/opt/splunk/lib/python2.6/site-packages/splunk/appserver/mrsparkle/lib/decorators.py", line 141, in validate_ip return fn(self, *a, **kw) File "", line 1, in File "/opt/splunk/lib/python2.6/site-packages/splunk/appserver/mrsparkle/lib/decorators.py", line 276, in preform_sso_check return fn(self, *a, **kw) File "", line 1, in File "/opt/splunk/lib/python2.6/site-packages/splunk/appserver/mrsparkle/lib/decorators.py", line 309, in check_login return fn(self, *a, **kw) File "", line 1, in File "/opt/splunk/lib/python2.6/site-packages/splunk/appserver/mrsparkle/lib/decorators.py", line 330, in handle_exceptions return fn(self, *a, **kw) File "/opt/splunk/lib/python2.6/site-packages/splunk/appserver/mrsparkle/controllers/view.py", line 779, in appDispatcher nav, defaultView = self.getAppNav(app, views) File "/opt/splunk/lib/python2.6/site-packages/splunk/appserver/mrsparkle/controllers/view.py", line 178, in getAppNav navDefinition = et.XML(navDefinition['eai:data'], parser) TypeError: 'NoneType' object is unsubscriptable I'm using Debian Lenny, Latest splunk (4.1) and latest ossec (2.4) Reading the changelogs say it's only been tested with OSSEC v1.6.1 and OSSEC v2.0 - something must have changed -- $ echo "kpfmAdpoofdufevq/dp/vl" | perl -pe 's/(.)/chr(ord($1)-1)/ge' -- To unsubscribe, reply using "remove me" as the subject.
Re: [ossec-list] Re: OSSEC & Splunk integration
On Wed, Apr 14, 2010 at 10:11 PM, uifjlh wrote: > Paul, > > I seem to have some piece missing my self ? ... the search part of > Splunk Works, and I have OSSEC Data there, from my OSSEC clients to > the OSSEC server, (the same box as the Splunk server) ... but when I > try the OSSEC plugin... this is the error I get. > > 500 Internal Server Error > > TypeError: 'NoneType' object is unsubscriptable I'm having the same issue. The application was uploaded via a tarball, not via the HTTP interface (firewall restrictions). Followed readme. Also I'm using an SSH tunnel to connect to port 8000... although everything else works fine, can't imagine this is the issue. I've also tried the .conf files mentioned in the earlier thread. Any ideas? -- $ echo "kpfmAdpoofdufevq/dp/vl" | perl -pe 's/(.)/chr(ord($1)-1)/ge'