All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk for OSSEC not working from a Remote OSSEC Server

swbradley1
Explorer
‎05-26-2011 07:11 AM

I have a working Splunk 4.2.1 server and I added Splunk for OSSEC 1.1.84 to it. I send the data from the OSSEC server over via syslog on UDP514. Splunk sees the data but nothing gets populated into the OSSEC dashboards. I edited the inputs.conf file for OSSEC so that it will only use UDP514. When I do a sourcetype=ossec* all I see are the old ossec_agent_control messages sources. The OSSEC messages are of type syslog.

How do I get it to populate the OSSEC dashboards?

thx

0 Karma
Reply

southeringtonp
Motivator
‎06-14-2011 08:11 AM

It sounds like your OSSEC events are not being correctly sourcetyped. Anything OSSEC alerts coming in via syslog need to have a sourcetype of ossec. The simplest thing would be to edit your input and explicitly set the sourcetype to ossec:

  • Go into the Manager
  • Go to Data Inputs -> UDP
  • Click on port 514
  • From the 'Set sourcetype' dropdown, choose manual.
  • In the box, type ossec
  • Click Save.

Note that this will set the sourcetype for all data coming in on port 514/udp. If you have other syslog events coming in, the simplest thing is to set up a separate port for OSSEC (port 10002 is a common choice).

Alternately, you could set up a transform to override the sourcetype for matching events.

Reply

swbradley1
Explorer
‎06-22-2011 11:20 AM

That answer explained and it fixed my problem. thank you

0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...