Splunk Enterprise Security

Forwarder not parsing Ossec logs correctly


Hi all,

We have our ossec logs from servers being sent to a forwarder and then the forwarder to indexer. On the forwarder, sourcetype is configured as ossec_alerts

In search results, the source host shows as the forwarder and not the actual server it comes from. The actual server name shows up right next to the date/time but not as a parsed field. EG:

2020/03/20 17:23:00 srv-01 SOURCE=forwarder

Any ideas?

0 Karma
Get Updates on the Splunk Community!

What’s new on Splunk Lantern in August

This month’s Splunk Lantern update gives you the low-down on all of the articles we’ve published over the past ...

Welcome to the Future of Data Search & Exploration

You have more data coming at you than ever before. Over the next five years, the total amount of digital data ...

This Week's Community Digest - Splunk Community Happenings [8.3.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...