Splunk Enterprise Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Ossec sent windows and linux logs are not correctly indexed

banaie
Path Finder
‎04-11-2020 11:08 AM

Hi all,
I use splunk forwarder to read ossec alert logs and index them on splunk. I'm using all the latest versions. But, it only saves ossec logs as raw events and no field is extracted! As the ossec add-on is old, is there any way to make that work with new ossec versions to correctly index windows and Linux logs that are sent using the forwarder?
TNX

0 Karma
Reply

banaie
Path Finder
‎06-17-2020 01:08 PM

I found out that the problem was because of the Alienvault system I am using. It changes the log format to some customized format. I solved it using a new transforms.conf file that I managed to modify. A sample log was as follows:

AV - Alert - "1592305529" --> RID: "18103"; RL: "5"; RG: "windows,system_error,"; RC: "Windows error event."; USER: "SQL Server Distributed Replay Client"; SRCIP: "None"; HOSTNAME: "(risab) 192.168.9.1->WinEvtLog"; LOCATION: "(risab) 192.168.9.1->WinEvtLog"; EVENT: "[INIT]2020 Jun 16 15:35:25 WinEvtLog: System: ERROR(10016): DCOM: SQL Server Distributed Replay Client: NT SERVICE: E-Learn: application-specific Local Activation {6DF8CB71-153B-4C66-8FC4-E59301B8011B} {961AD749-64E9-4BD5-BCC8-ECE8BA0E241F} NT SERVICE SQL Server Distributed Replay Client S-1-5-80-3249811479-2167633679-2115734285-1138413726-166979568 LocalHost (Using LRPC) Unavailable Unavailable [END]";

I put all the message into "Event" field into a separate field. However, it is a standard relevant windows event log. Is there anyway that I can use that field to create a new log in windows sourcetype to use the Splunk_TA_windows for extracting the fields?

 

Thanks

 

0 Karma
Reply

woodcock
Esteemed Legend
‎04-11-2020 08:15 PM

In order for the Field Extractions to work:
1: The sourcetype you used in inputs.conf must match the one used in the app's props.conf.
2: You need to deploy the TA to BOTH your Indexer and your Search Head and restart all splunk instances there.
3: Your data format must match what is expected by the app. You can manually test by pasting your raw event data and the app's regular expressions to a site like RegEx101.com.

Reply

woodcock
Esteemed Legend
‎04-11-2020 08:16 PM

Yes, a restart of the Search Head should not be necessary.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-11-2020 01:15 PM

Yes, there is a way to do that. Edit the props.conf file for the ossec add-on to better extract fields. Be sure to put your changes in local/props.conf.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Your Guide to Splunk Digital Experience Monitoring

A flawless digital experience isn't just an advantage, it's key to customer loyalty and business success. But ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...