Man, you Splunk guys are on the ball.
Nice, I'll try that search, but it doesn't look efficient enough to
run in near real time, especially when parsing the uselessly verbose
Windows event logs.
On Nov 23, 4:27 am, Raffy <[EMAIL PROTECTED]> wrote:
> > Excellent question, and the answer is twofol
> Excellent question, and the answer is twofold. One, Splunk is not an
> automatic event correlator. It can't do the "If you see this event 10
> times in 20 minutes, followed by this event, throw this flag" thing
> automatically. (Even though "Transaction Types" is getting close,
> it's still n
---
> From: ossec-list@googlegroups.com [mailto:[EMAIL PROTECTED] On Behalf Of
> shadejinx
> Sent: Thursday, November 20, 2008 4:24 PM
> To: ossec-list; Dave Cushing
> Subject: [ossec-list] Re: OSSEC via Splunk
>
> How do you get Splunk to parse the "categories" like
&g
ginal Message-
From: ossec-list@googlegroups.com [mailto:[EMAIL PROTECTED] On Behalf Of
shadejinx
Sent: Thursday, November 20, 2008 4:24 PM
To: ossec-list; Dave Cushing
Subject: [ossec-list] Re: OSSEC via Splunk
How do you get Splunk to parse the "categories" like
local,windows,authent
Hello,
|
| My question: Is there a way to get a more machine readable output to
| feed something like Splunk or swatch? Could this be a wishlist
| feature?
|
I wrote the Prelude code in OSSEC which transforms the datastructure into
IDMEF (rfc 4765). This IDMEF is normalized
How do you get Splunk to parse the "categories" like
local,windows,authentication_failure, etc? I wrote a report
transform, but because there's no defined structure to these tags I
can't quite get all the information I want.
I'm looking for automatic event tagging using the OSSEC tags, but
can't
I use OSSEC and splunk and find the output quite readable. The difference
being is that I use the OSSEC server to send syslog to the splunk server rather
than having it parse the files. For the few servers that I have been testing
OSSEC on (about 10), the output has been easy to parse for the
