Hi,
I have a Windows and linux environment using ossec.
I have puppet within the linux environment (https://forge.puppetlabs.com/jgazeley/ossec) .
When this puppet module imports the agent, it assigns a value for id. I believe that because this value is:
ID: 007f0101, Name: xxxxxxxxxxxx.xxxxxxxxx.com, IP: xxx.xxx.xxx.xxx, Active
Splunk does not populate this client when parsing the output of agent_control -l
I was wondering if someone knew where in the python script this value is set so I can play around to see if I can get it to work.
Shane
If it's showing in the raw Splunk data, but not extracting the field, try adding the following block to $SPLUNK_HOME/etc/apps/ossec/local/transforms.conf:
[ossec_agent_control]
REGEX=ID: (\S+), Name: ([^\s,]+).*?, IP: (.*?), (.*)
FORMAT=agent_id::$1 reporting_host::$2 src_ip::$3 status::$4
You may also need to make changes in pyOSSEC.py itself. That module was written with the assumption of base-10, numeric IDs, but from a quick look the only place that's actually a coded dependency is when adding a new agent (circa line 535).
If it's showing in the raw Splunk data, but not extracting the field, try adding the following block to $SPLUNK_HOME/etc/apps/ossec/local/transforms.conf:
[ossec_agent_control]
REGEX=ID: (\S+), Name: ([^\s,]+).*?, IP: (.*?), (.*)
FORMAT=agent_id::$1 reporting_host::$2 src_ip::$3 status::$4
You may also need to make changes in pyOSSEC.py itself. That module was written with the assumption of base-10, numeric IDs, but from a quick look the only place that's actually a coded dependency is when adding a new agent (circa line 535).
This worked!!
Thanks.