Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Ossec sent windows and linux logs are not correctly indexed

banaie
Path Finder
‎04-11-2020 11:08 AM

Hi all,
I use splunk forwarder to read ossec alert logs and index them on splunk. I'm using all the latest versions. But, it only saves ossec logs as raw events and no field is extracted! As the ossec add-on is old, is there any way to make that work with new ossec versions to correctly index windows and Linux logs that are sent using the forwarder?
TNX

0 Karma
Reply

banaie
Path Finder
‎06-17-2020 01:08 PM

I found out that the problem was because of the Alienvault system I am using. It changes the log format to some customized format. I solved it using a new transforms.conf file that I managed to modify. A sample log was as follows:

AV - Alert - "1592305529" --> RID: "18103"; RL: "5"; RG: "windows,system_error,"; RC: "Windows error event."; USER: "SQL Server Distributed Replay Client"; SRCIP: "None"; HOSTNAME: "(risab) 192.168.9.1->WinEvtLog"; LOCATION: "(risab) 192.168.9.1->WinEvtLog"; EVENT: "[INIT]2020 Jun 16 15:35:25 WinEvtLog: System: ERROR(10016): DCOM: SQL Server Distributed Replay Client: NT SERVICE: E-Learn: application-specific Local Activation {6DF8CB71-153B-4C66-8FC4-E59301B8011B} {961AD749-64E9-4BD5-BCC8-ECE8BA0E241F} NT SERVICE SQL Server Distributed Replay Client S-1-5-80-3249811479-2167633679-2115734285-1138413726-166979568 LocalHost (Using LRPC) Unavailable Unavailable [END]";

I put all the message into "Event" field into a separate field. However, it is a standard relevant windows event log. Is there anyway that I can use that field to create a new log in windows sourcetype to use the Splunk_TA_windows for extracting the fields?

 

Thanks

 

0 Karma
Reply

woodcock
Esteemed Legend
‎04-11-2020 08:15 PM

In order for the Field Extractions to work:
1: The sourcetype you used in inputs.conf must match the one used in the app's props.conf.
2: You need to deploy the TA to BOTH your Indexer and your Search Head and restart all splunk instances there.
3: Your data format must match what is expected by the app. You can manually test by pasting your raw event data and the app's regular expressions to a site like RegEx101.com.

Reply

woodcock
Esteemed Legend
‎04-11-2020 08:16 PM

Yes, a restart of the Search Head should not be necessary.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-11-2020 01:15 PM

Yes, there is a way to do that. Edit the props.conf file for the ossec add-on to better extract fields. Be sure to put your changes in local/props.conf.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In January, the Splunk Threat Research Team had one release of new security content via the Splunk ES Content ...

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...