Hi,

Can you give some details/examples on "logs not getting parsed properly" ? We have the same combination you mentioned and so far it has served well. The app "Reporting and Management for OSSEC" has some transforms/field extractions which we need for custom dashboards, whereas "Splunk add-on for OSSEC" does a good job for CIM compatibility of OSSEC data, so we use both in different capacity.

Thanks,

~ Abhi

Abhi
Are you passing in the same data twice once via
"Splunk Add-on for OSSEC" and also via "Reporting and Management for OSSEC"

Do you feed the same data into splunk twice ?

Once into the ossec event type via syslog and the "Splunk Add-on for OSSEC"
and then a second time via "Reporting and Management for OSSEC"

For example№3 log that not parsed:

Jan  4 14:56:14 172.16.9.25 Jan  4 14:55:22 %host_name% ossec: Alert Level: 7; Rule: 2932 - New Yum package installed.; Location: %host_name%->/var/log/messages; classification:  syslog,yum,config_changed,; Jan  4 14:55:21 srv25sec yum[23540]: Installed: kernel-3.10.0-693.11.1.el7.x86_64

This part not parsed in field

Installed: kernel-3.10.0-693.11.1.el7.x86_64

Bump! Up!

Have you had any success ?

I'm experiencing a similar issue using "Splunk Add-on for OSSEC"
events are received by splunk and some fields are extracted to the CIM but fields like the
src and src_user are not.

This causes a number of alerts/ dashboards to report the in Splunk ES to report the system and the as unknown.

Also, did u use format log - splunk? it's not helped me, but change a little parsing of logs.

<syslog_output>
  <server>10.0.0.1</server>
  <port>514</port>
  <format>splunk</format>
</syslog_output>

U can use: default, cef, splunk, json

For example№2 log that not parsed:

classification: syslog,attacks,; srcip: %ip% user: - ; 2017 Dec 07 13:03:16 WinEvtLog: Security: AUDIT_SUCCESS(4624): Microsoft-Windows-Security-Auditing: %username% %dns_name% %host_name% An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 New Logon: Security ID: S-1-5-21-1877622112-2052110481-2879200121-1111 Account Name: %username% Account Domain: %dns_name% Logon ID: 0x9b1473a Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: NIZHYN Source Network Address: %ip% Source Port: 50149 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed.

It's field body and there is useful information like %username%,

Microsoft-Windows-Security-Auditing: %username%

but it not parsed in fields.

I need some times for it 🙂

Anyway, can you help with understanding some OSSEC logs as:

• How to see all possible signatures?
  Coz, I can only by stats count by signature and it's not okay

• Where can I get information about Alert level?
  https://ossec-docs.readthedocs.io/en/latest/manual/rules-decoders/rule-levels.html it is?

For example№1 log that not parsed:

Jan  6 05:27:24 172.16.9.25 Jan  6 05:27:00 %hostname% ossec: Alert Level: 3; Rule: 516 - System Audit event.; Location: (%hostname%) %ip%->rootcheck; classification:  ossec,rootcheck,; System Audit: SSH Hardening - 9: Wrong Maximum number of authentication attempts {PCI_DSS: 2.2.4}. File: /etc/ssh/sshd_config. Reference: 9 .

• What another PCI DSS requirements monitoring OSSEC?
• And what the Reference: 9 and Hardening - 9:? What it mean? It's a same aka numeric?

Where I can get information about it and what I need to know? What I must have need to know?
I need some share experience, some advice if you can 🙂