I have remote OSSEC servers successfully sending messages to splunk as well as a local OSSEC server. When I look at the events, all appears fine. However, when I go to the Splunk for OSSEC dashboard, if I select all servers I see the events from the remote server and the local one but I can't select the specific remote server. My only options are the local server or all servers. How do I let splunk know about the additional server(s) so they show up in the list?
For your OSSEC events, what server name shows up in the ossec_server field?
How is Splunk getting data from OSSEC (is it reading alerts.log, or taking it in via syslog)?
Which sourcetype do your OSSEC events have (should be ossec or ossec_alerts)
Are OSSEC and Splunk on the same server?
The dropdown box is populated based on a lookup table, and the lookup table is generated based on the value of ossec_server in individual events. So you need to make sure that your events have the correct value in that field.
Also, if you make changes be sure to rebuild the lookup table: Searches & Reports -> Utility -> OSSEC - Rebuild OSSEC Server Lookup Table.
I noticed that eventually after putting the name of my server (which was in the hosts file) into the ossecserers.conf file, the server name would show up but had no events associated with it. I could only get the events to be tied to a server by putting in the IP address in ossecservers.conf. Is there some way around this issue?