Splunk Enterprise Security

Forwarder not parsing Ossec logs correctly


Hi all,

We have our ossec logs from servers being sent to a forwarder and then the forwarder to indexer. On the forwarder, sourcetype is configured as ossec_alerts

In search results, the source host shows as the forwarder and not the actual server it comes from. The actual server name shows up right next to the date/time but not as a parsed field. EG:

2020/03/20 17:23:00 srv-01 SOURCE=forwarder

Any ideas?

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!