Those dashboards are keyed of of an eventtype. Modifying that eventtype is
the easiest approach.
Either add the index to it through the GUI, or create a file at
/opt/splunk/etc/apps/ossec/local/eventtypes.conf with the following:
[ossec]
search = index=ossec (sourcetype=ossec* NOT
In terms of comparison, the OSSEC app and the PCI app for Splunk are
intended to be very different things.
It looks like the PCI app is meant to cover as much of the PCI requirements
as possible, and it knows about the actual PCI requirements themselves. It
looks like maybe it also some asset
Assuming you're using the OSSEC app for Splunk, it's probably indexing the
local alerts file.
You don't actually need to configure the syslog output on the OSSEC side if
both are on the same server and you want to capture everything. But since
you want to limit the data coming in, you can use
It's a bit counterintuitive, but use of the Splunk output format in
ossec.conf isn't recommended right now if you're using the Splunk for OSSEC
app. That format was added in an ossec patch long after the app was
written, and it usually isn't needed. The preferred approach is either to
capture
You can put a Splunk Universal Forwarder on the OSSEC server and have it
monitor the alerts.log file directly. In this scenario Splunk is getting
its data from the alerts file directly, so you would want to remove your
syslog_output configuration in ossec.conf. That gives you reliable TCP
OSSEC won't be able to effectively monitor Splunk's or warm indexes; you are
correct that these files are always changing. Also, the process is more
akin to
database compaction than simple file growth, so you can't just look at file
size
or additions to the end of the file.
Cold and Frozen
I think you have the wrong mailing list. :-)
This is for OSSEC - if you have Splunk questions, try
http://splunk-base.splunk.com/answers/
On Wed, Feb 1, 2012 at 3:04 PM, biciunas p...@biciunas.com wrote:
I'm running a Splunk 4.2.5 server on CentOS. On a Win2k3 server I've
installed
.
#
[_local]
AGENT_CONTROL = /var/ossec/bin/agent_control -l
MANAGE_AGENTS = /var/ossec/bin/manage_agents
Regards,
John
De : Paul Southerington sout...@gmail.com
À : ossec-list@googlegroups.com
Envoyé le : Mar 15 février 2011, 19h 56min 07s
That error is coming from the OSSEC plugin to Splunk, rather than from OSSEC
itself.
It means that something went wrong when Splunk tried to run
ossec_agent_control to get the list of agents and their
connected/disconnected status.
The most likely thing is that you need to either remove 'sudo'
It sounds like an issue in syscheck somewhere.
If you turn syscheck off temporarily, does the problem go away? Also, you
might look for
exceedingly long directories entries, or entries for directories that
don't actually exist.
Syscheck on Windows can also have issues if you don't have at
We saw this in a test deployment at one point - I'm not sure of the version
number at the time, but 2.3 sounds about right. Upgrading to 2.4 resolved
it for us.
On Fri, Sep 24, 2010 at 9:51 AM, Jason Mantor jman...@gmail.com wrote:
I have found a couple of machines were OSSEC and other
://lcua141:8000/en-US/app/search/dashboard.
Observations/pointers/suggestions welcome.
Thank you very much
JLH
On Apr 11, 8:31 pm, Paul Southerington sout...@gmail.com wrote:
Probably the Splunk side. I'm assuming you're using Splunk 4.x and the
4.x
OSSEC app. If not, ignore everything
That sounds like Splunk's automatic sourcetype assignment. How do you have
the data coming in? (syslog? Direct to a Splunk listening port? Or pointed
directly to the OSSEC alerts file on the local machine?)
If you look in inputs.conf, or in the Manager within Splunk you should be
able to set the
Probably the Splunk side. I'm assuming you're using Splunk 4.x and the 4.x
OSSEC app. If not, ignore everything else I say... :-)
I've actually been considering making it do that out-of-the-box. If other
people want that, please let me know.
Right now, you can search on 'reporting_host'
Also, make sure you're using the latest version of Splunk. 4.0.6 had a
couple of issues with some of the saved searches.
On Sun, Jan 3, 2010 at 9:46 AM, Dave S dsty...@comcast.net wrote:
Thanks all. I'll give it a try.
Although I find myself torn between the two systems.
Splunk is a killer
be able to download it from? Thank you
On Nov 23, 1:31 pm, Paul Southerington sout...@gmail.com wrote:
Are you running Splunk version 3 or 4?
The OSSEC app for Splunk 3 seems to have disappeared from Splunk's site.
I'm
working on a Splunk 4 app, which I hope to release within the week
Are you running Splunk version 3 or 4?
The OSSEC app for Splunk 3 seems to have disappeared from Splunk's site. I'm
working on a Splunk 4 app, which I hope to release within the week. If you
would like me to send you an in-progress version, send me a note off-list --
I'd love to get your
This might get you started (extract under /opt/splunk/etc/apps):
http://www.southerington.com/projects/splunk/ossec/ossec.tgz
If you're using syslog, it looks like you won't get the categories
anyway.
Automatic event tagging is doable (see the tgz file), but I'm not sure
you can easily
18 matches
Mail list logo
