Splunk Enterprise Security

Forwarder not parsing Ossec logs correctly


Hi all,

We have our ossec logs from servers being sent to a forwarder and then the forwarder to indexer. On the forwarder, sourcetype is configured as ossec_alerts

In search results, the source host shows as the forwarder and not the actual server it comes from. The actual server name shows up right next to the date/time but not as a parsed field. EG:

2020/03/20 17:23:00 srv-01 SOURCE=forwarder

Any ideas?

0 Karma
Get Updates on the Splunk Community!

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through:An introduction to the Splunk Threat ...

Splunk Life | Happy Pride Month!

Happy Pride Month, Splunk Community! 🌈 In the United States, as well as many countries around the ...

SplunkTrust | Where Are They Now - Michael Uschmann

The Background Five years ago, Splunk published several videos showcasing members of the SplunkTrust to share ...