I think this is a simple one, but I'm stuck. Just upgraded to latest version of Splunk for OSSEC. Given sample entry like so:
2011-04-26T23:58:06-07:00 my_ossec ossec: Alert Level: 3; Rule: 5502 - Login session closed.; Location:...
In Splunk, rather than showing up with ossec_server or host = my_ossec, these fields are assigned the hostname of the Splunk server. I checked that I have inputs configured properly, but it doesn't work. I also can't get the host overrides to work. There's one that will let me assign host to origin server of the event, but this does not work as expected. Any clues?
First, do your indexed events show up with the correct sourcetype of ossec
?
What version of the app did you upgrade from? If you upgraded from 1.0, you many need to check ossec/local/transforms.conf
and ossec/local/props.conf
, and clear out any left-over entries that may affect those fields.
In particular, the field extractions changed in 1.1, since most users wanted host
mapped to the endpoint computer instead of the OSSEC server as in 1.0.
The normal behavior in 1.1 is:
host
contains the name of the ossec agent/client machine, extracted dynamically at index timereporting_host
is an alias of hostossec_server
is extracted at search timeIf you want to preserve the old behavior, you'll need to copy in the settings from ossec/samples/props.conf
. Depending on your setup, you may also need to set the following in props.conf:
TRANSFORMS-host = syslog-host