On Apr 11, 7:31 pm, Paul Southerington sout...@gmail.com wrote:
snip
I've actually been considering making it do that out-of-the-box. If other
people want that, please let me know.
Right now, you can search on 'reporting_host' instead, or you can try the
following. I haven't really tested
On Thu, Apr 15, 2010 at 9:28 PM, Paul Southerington sout...@gmail.com wrote:
That sounds like Splunk's automatic sourcetype assignment. How do you have
the data coming in? (syslog? Direct to a Splunk listening port? Or pointed
directly to the OSSEC alerts file on the local machine?)
Sorry,
On Thu, Apr 15, 2010 at 12:09 PM, Joel Merrick joel.merr...@gmail.com wrote:
On Wed, Apr 14, 2010 at 10:11 PM, uifjlh joel.hueb...@gmail.com wrote:
Paul,
I seem to have some piece missing my self ? ... the search part of
Splunk Works, and I have OSSEC Data there, from my OSSEC clients to
Well, it doesn't seem to be displaying anything...
OSSEC log directory is being monitored, however sourcetype=ossec
produced nothing. Files have been indexed.
Any ideas?
On Thu, Apr 15, 2010 at 1:05 PM, Joel Merrick joel.merr...@gmail.com wrote:
I have this working now,
I had to manually add
On Thu, Apr 15, 2010 at 1:22 PM, Joel Merrick joel.merr...@gmail.com wrote:
Well, it doesn't seem to be displaying anything...
OSSEC log directory is being monitored, however sourcetype=ossec
produced nothing. Files have been indexed.
Any ideas?
Seems as though the string parsing is not
Did Joel's suggestion make any difference for you?
If not, what version of Splunk are you running, and is it the free license
or enterprise?
On Wed, Apr 14, 2010 at 5:11 PM, uifjlh joel.hueb...@gmail.com wrote:
Paul,
I seem to have some piece missing my self ? ... the search part of
That sounds like Splunk's automatic sourcetype assignment. How do you have
the data coming in? (syslog? Direct to a Splunk listening port? Or pointed
directly to the OSSEC alerts file on the local machine?)
If you look in inputs.conf, or in the Manager within Splunk you should be
able to set the
Paul,
I seem to have some piece missing my self ? ... the search part of
Splunk Works, and I have OSSEC Data there, from my OSSEC clients to
the OSSEC server, (the same box as the Splunk server) ... but when I
try the OSSEC plugin... this is the error I get.
500 Internal Server Error