First, do your indexed events show up with the correct sourcetype of ossec ?
What version of the app did you upgrade from? If you upgraded from 1.0, you many need to check ossec/local/transforms.conf and ossec/local/props.conf , and clear out any left-over entries that may affect those fields.
In particular, the field extractions changed in 1.1, since most users wanted host mapped to the endpoint computer instead of the OSSEC server as in 1.0.
The normal behavior in 1.1 is:
host contains the name of the ossec agent/client machine, extracted dynamically at index time
reporting_host is an alias of host
ossec_server is extracted at search time
If you want to preserve the old behavior, you'll need to copy in the settings from ossec/samples/props.conf . Depending on your setup, you may also need to set the following in props.conf:
TRANSFORMS-host = syslog-host
... View more