I've had both services running on the save Ubuntu 10.04 server for about a week. OSSEC is cooking along gathering information. And SPLUNK is happily displaying this data for easy quick high level viewing.

I did switch SPLUNK to the "free" license.

For days & days I've had good data. @ around noon yesterday, it started to taper DOWN...

06-18-2010 05:59:55.073 INFO Metrics - group=per_source_thruput, series="udp:10002", kbps=2.371535, eps=3.741935, kb=73.517578 host=lcua141 Options| sourcetype=splunkd Options| source=/opt/splunk/var/log/splunk/metrics.log Options

I noticed today @ 6am data stopped. This was the last entry...

6/18/10 6:00:26.048 AM
06-18-2010 06:00:26.048 INFO Metrics - group=per_source_thruput, series="udp:10002", kbps=2.371220, eps=4.258065, kb=73.507812 host=lcua141 Options| sourcetype=splunkd Options| source=/opt/splunk/var/log/splunk/metrics.log Options

I'll start by looking at this splunk log...

Any suggestions/ideas appreciated!

Thank you!

JLH