It's a bit counterintuitive, but use of the "Splunk" output format in ossec.conf isn't recommended right now if you're using the Splunk for OSSEC app. That format was added in an ossec patch long after the app was written, and it usually isn't needed. The preferred approach is either to capture /var/log/alerts using the Splunk universal forwarder, or to use the syslog format.
Could you email off-list directly with a screenshot showing some of the issues and/or some sample records? Also, be sure that the sourcetype field is showing up correctly -- for syslog the sourcetype value should be showing up as just "ossec"; if that's not right none of the other stuff will be. On Mon, Sep 9, 2013 at 11:40 AM, Janelle <[email protected]> wrote: > I wonder if anyone else has seen this: > > Run OSSEC Manager and Splunk on same server - everything works perfectly, > and in fact, when you install "Splunk for OSSEC" app (although dated, still > works fine) - it reads the data perfectly and no issues with formats. In > fact, you don't even have to do anything to Splunk, since the APP is > already configured to monitor the /var/ossec/logs/alerts file(s) and > related logs. > > BUT -- if you setup Splunk on a different server than the OSSEC Manager, > and use the suggested configuration for sending output to that Splunk > server with a remote syslog connection on a port (example 10002) with a > format of "Splunk" - then the Splunk for OSSEC app does NOT read the data > correctly. You end up with weird double time/date stamps, missing fields of > the original SRC and DEST and other weird errors. If you change the output > format to "Syslog" instead of "Splunk" it is just as bad. And one important > difference -- if you are using "report_changes" for critical files - in the > first example, the "diffs" show up in Splunk just fine, but in the 2nd > example - no matter what format you choose - the diffs no longer appear. > > Just wondering if anyone else is using Splunk and the Splunk for OSSEC app > or just raw Splunk with your own apps and seeing any strange formatting > errors like this? > > I wonder whatever happened to the original "Splunk for OSSEC" authors and > why it has not been updated in a couple of years? > > Oh and this is OSSEC 2.7 (and 2.7.1-beta) with Splunk 5.0.x > > Any help would be appreciated - I tried posting in the Splunk forums, but > no response there. > > ~J > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
