- Find Answers
- :
- Premium Solutions
- :
- Splunk Enterprise Security
- :
- Ossec sent windows and linux logs are not correctl...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ossec sent windows and linux logs are not correctly indexed
Hi all,
I use splunk forwarder to read ossec alert logs and index them on splunk. I'm using all the latest versions. But, it only saves ossec logs as raw events and no field is extracted! As the ossec add-on is old, is there any way to make that work with new ossec versions to correctly index windows and Linux logs that are sent using the forwarder?
TNX
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I found out that the problem was because of the Alienvault system I am using. It changes the log format to some customized format. I solved it using a new transforms.conf file that I managed to modify. A sample log was as follows:
AV - Alert - "1592305529" --> RID: "18103"; RL: "5"; RG: "windows,system_error,"; RC: "Windows error event."; USER: "SQL Server Distributed Replay Client"; SRCIP: "None"; HOSTNAME: "(risab) 192.168.9.1->WinEvtLog"; LOCATION: "(risab) 192.168.9.1->WinEvtLog"; EVENT: "[INIT]2020 Jun 16 15:35:25 WinEvtLog: System: ERROR(10016): DCOM: SQL Server Distributed Replay Client: NT SERVICE: E-Learn: application-specific Local Activation {6DF8CB71-153B-4C66-8FC4-E59301B8011B} {961AD749-64E9-4BD5-BCC8-ECE8BA0E241F} NT SERVICE SQL Server Distributed Replay Client S-1-5-80-3249811479-2167633679-2115734285-1138413726-166979568 LocalHost (Using LRPC) Unavailable Unavailable [END]";
I put all the message into "Event" field into a separate field. However, it is a standard relevant windows event log. Is there anyway that I can use that field to create a new log in windows sourcetype to use the Splunk_TA_windows for extracting the fields?
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In order for the Field Extractions to work:
1: The sourcetype you used in inputs.conf must match the one used in the app's props.conf.
2: You need to deploy the TA to BOTH your Indexer and your Search Head and restart all splunk instances there.
3: Your data format must match what is expected by the app. You can manually test by pasting your raw event data and the app's regular expressions to a site like RegEx101.com.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, a restart of the Search Head should not be necessary.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, there is a way to do that. Edit the props.conf file for the ossec add-on to better extract fields. Be sure to put your changes in local/props.conf.
If this reply helps you, Karma would be appreciated.
Get Schooled with Splunk Education: Explore Our Latest Courses
Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL
Buttercup Games: Further Dashboarding Techniques (Part 5)
