I think this is a simple one, but I'm stuck. Just upgraded to latest version of Splunk for OSSEC. Given sample entry like so:
2011-04-26T23:58:06-07:00 my_ossec ossec: Alert Level: 3; Rule: 5502 - Login session closed.; Location:...
In Splunk, rather than showing up with ossec_server or host = my_ossec, these fields are assigned the hostname of the Splunk server. I checked that I have inputs configured properly, but it doesn't work. I also can't get the host overrides to work. There's one that will let me assign host to origin server of the event, but this does not work as expected. Any clues?
... View more