All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk assigning Splunk hostname as ossec_server

toddmichael
Engager
‎04-27-2011 12:28 AM

I think this is a simple one, but I'm stuck. Just upgraded to latest version of Splunk for OSSEC. Given sample entry like so:

2011-04-26T23:58:06-07:00 my_ossec ossec: Alert Level: 3; Rule: 5502 - Login session closed.; Location:...

In Splunk, rather than showing up with ossec_server or host = my_ossec, these fields are assigned the hostname of the Splunk server. I checked that I have inputs configured properly, but it doesn't work. I also can't get the host overrides to work. There's one that will let me assign host to origin server of the event, but this does not work as expected. Any clues?

Reply

southeringtonp
Motivator
‎04-28-2011 09:46 AM

First, do your indexed events show up with the correct sourcetype of ossec ?

What version of the app did you upgrade from? If you upgraded from 1.0, you many need to check ossec/local/transforms.conf and ossec/local/props.conf, and clear out any left-over entries that may affect those fields.

In particular, the field extractions changed in 1.1, since most users wanted host mapped to the endpoint computer instead of the OSSEC server as in 1.0.

The normal behavior in 1.1 is:

  • host contains the name of the ossec agent/client machine, extracted dynamically at index time
  • reporting_host is an alias of host
  • ossec_server is extracted at search time

If you want to preserve the old behavior, you'll need to copy in the settings from ossec/samples/props.conf. Depending on your setup, you may also need to set the following in props.conf:

TRANSFORMS-host = syslog-host
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...