Refine your search:

How to integrate OSSEC with Splunk.

0

I am abit new to Splunk. I have setup the ossec server with: 6.7.8.9 10002

using the IP of the SPLUNK server. I have successfully installed the Ossec APP, it is not geting any data into Splunk when i look at the dashboard, what other configuration am i missing?

asked 27 Apr '10, 21:34

azimzores's gravatar image

azimzores
111
accept rate: 0%

2 Answers:
oldestnewestmost voted
0

Have you already read the installation text here?

link

answered 27 Apr '10, 22:28

jrodman's gravatar image

jrodman ♦
5.8k2515
accept rate: 42%

edited 27 Apr '10, 23:36

Leo's gravatar image

Leo ♦
817111

Yes, seems like limited data is following over.

(27 Apr '10, 23:44) azimzores

Please explain more on what you mean by "limited data"?

(04 May '10, 16:19) rayfoo
0

As rayfoo suggested, a clearer explanation of what you mean by "limited data" would go a long way toward understanding your problem.

This is a fairly old question, so not sure if it's still an issue, but here are some things to try / questions to ask when troubleshooting:

  • Are you running the latest version of the Splunk for OSSEC App? There have been some significant changes from 1.0.x to 1.1.x of the app, and there will be several more in 1.2.x.

  • Does the issue appear with just dashboards, or do you have issues with the saved searches as well? What happens if you search on sourcetype=ossec* ?

  • Do the records coming into Splunk have the correct sourcetype? See the Data Inputs section of the README file for the recommended sourcetype values. If they are incorrect, you may need to adjust your Inputs configuration.

  • The dashboards currently look for specific OSSEC servers, so try running the search:
    | inputlookup lookup_ossec_servers and make sure your servers are listed. Also, make sure that the default wildcard entry for "All OSSEC Servers" is present. If not, there's a saved search that rebuilds the lookup table, so you might try running that.

    • link

    answered 15 Sep '10, 13:45

    southeringtonp's gravatar image

    southeringtonp ♦
    4.5k1215
    accept rate: 35%

    Post your answer
    toggle preview

    Follow this question

    Log In to enable email subscriptions

    RSS:

    Answers

    Answers + Comments

    Markdown Basics

    • *italic* or _italic_
    • **bold** or __bold__
    • link:[text](http://url.com/ "Title")
    • image?![alt text](/path/img.jpg "Title")
    • numbered list: 1. Foo 2. Bar
    • to add a line break simply add two spaces to where you would like the new line to be.
    • basic HTML tags are also supported

    learn more about Markdown

    Tags:

    ×323
    ×206
    ×186

    Asked: 27 Apr '10, 21:34

    Seen: 1,611 times

    Last updated: 02 Apr '11, 00:22

    Related questions

    Splunk for OSSEC app

    Splunk unix app not receiving inputs

    Meaning of OSSEC dashboard pie graph count values

    Splunk for OSSEC not working from a Remote OSSEC Server

    Question on debugging of OSSEC App Agent Management issues...

    Splunk+ossec Integration

    Agent list in OSSEC agent status dashboard is empty

    Splunk and Ossec on Same Machine

    How to get Splunk aware of the changes in inputs.conf of an app without restarting Splunk?

    Copyright © 2005-2012 Splunk, Inc. All rights reserved.