I have a working Splunk 4.2.1 server and I added Splunk for OSSEC 1.1.84 to it. I send the data from the OSSEC server over via syslog on UDP514. Splunk sees the data but nothing gets populated into the OSSEC dashboards. I edited the inputs.conf file for OSSEC so that it will only use UDP514. When I do a sourcetype=ossec* all I see are the old ossec_agent_control messages sources. The OSSEC messages are of type syslog.
How do I get it to populate the OSSEC dashboards?
thx
It sounds like your OSSEC events are not being correctly sourcetyped. Anything OSSEC alerts coming in via syslog need to have a sourcetype of ossec
. The simplest thing would be to edit your input and explicitly set the sourcetype to ossec
:
manual
.Note that this will set the sourcetype for all data coming in on port 514/udp. If you have other syslog events coming in, the simplest thing is to set up a separate port for OSSEC (port 10002 is a common choice).
Alternately, you could set up a transform to override the sourcetype for matching events.
That answer explained and it fixed my problem. thank you