Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Remote OSSEC servers not showing up in ossec dashboard server dropdown

claytonknorr
New Member
‎08-02-2012 07:29 AM

I have remote OSSEC servers successfully sending messages to splunk as well as a local OSSEC server. When I look at the events, all appears fine. However, when I go to the Splunk for OSSEC dashboard, if I select all servers I see the events from the remote server and the local one but I can't select the specific remote server. My only options are the local server or all servers. How do I let splunk know about the additional server(s) so they show up in the list?

Tags (1)
0 Karma
Reply

southeringtonp
Motivator
‎08-09-2012 07:55 AM

A few questions...

  • For your OSSEC events, what server name shows up in the ossec_server field?
  • How is Splunk getting data from OSSEC (is it reading alerts.log, or taking it in via syslog)?
    • Which sourcetype do your OSSEC events have (should be ossec or ossec_alerts)
    • Are OSSEC and Splunk on the same server?

The dropdown box is populated based on a lookup table, and the lookup table is generated based on the value of ossec_server in individual events. So you need to make sure that your events have the correct value in that field.

Also, if you make changes be sure to rebuild the lookup table: Searches & Reports -> Utility -> OSSEC - Rebuild OSSEC Server Lookup Table.

0 Karma
Reply

claytonknorr
New Member
‎08-02-2012 01:11 PM

I noticed that eventually after putting the name of my server (which was in the hosts file) into the ossec_serers.conf file, the server name would show up but had no events associated with it. I could only get the events to be tied to a server by putting in the IP address in ossec_servers.conf. Is there some way around this issue?

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...