Splunk Enterprise Security

Ossec sent windows and linux logs are not correctly indexed

banaie
Path Finder

Hi all,
I use splunk forwarder to read ossec alert logs and index them on splunk. I'm using all the latest versions. But, it only saves ossec logs as raw events and no field is extracted! As the ossec add-on is old, is there any way to make that work with new ossec versions to correctly index windows and Linux logs that are sent using the forwarder?
TNX

0 Karma

banaie
Path Finder

I found out that the problem was because of the Alienvault system I am using. It changes the log format to some customized format. I solved it using a new transforms.conf file that I managed to modify. A sample log was as follows:

AV - Alert - "1592305529" --> RID: "18103"; RL: "5"; RG: "windows,system_error,"; RC: "Windows error event."; USER: "SQL Server Distributed Replay Client"; SRCIP: "None"; HOSTNAME: "(risab) 192.168.9.1->WinEvtLog"; LOCATION: "(risab) 192.168.9.1->WinEvtLog"; EVENT: "[INIT]2020 Jun 16 15:35:25 WinEvtLog: System: ERROR(10016): DCOM: SQL Server Distributed Replay Client: NT SERVICE: E-Learn: application-specific Local Activation {6DF8CB71-153B-4C66-8FC4-E59301B8011B} {961AD749-64E9-4BD5-BCC8-ECE8BA0E241F} NT SERVICE SQL Server Distributed Replay Client S-1-5-80-3249811479-2167633679-2115734285-1138413726-166979568 LocalHost (Using LRPC) Unavailable Unavailable [END]";

I put all the message into "Event" field into a separate field. However, it is a standard relevant windows event log. Is there anyway that I can use that field to create a new log in windows sourcetype to use the Splunk_TA_windows for extracting the fields?

 

Thanks

 

0 Karma

woodcock
Esteemed Legend

In order for the Field Extractions to work:
1: The sourcetype you used in inputs.conf must match the one used in the app's props.conf.
2: You need to deploy the TA to BOTH your Indexer and your Search Head and restart all splunk instances there.
3: Your data format must match what is expected by the app. You can manually test by pasting your raw event data and the app's regular expressions to a site like RegEx101.com.

woodcock
Esteemed Legend

Yes, a restart of the Search Head should not be necessary.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Yes, there is a way to do that. Edit the props.conf file for the ossec add-on to better extract fields. Be sure to put your changes in local/props.conf.

---
If this reply helps you, an upvote would be appreciated.
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!