[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Indexing ossec alerts with Splunk

To: ossec-list <ossec-list@xxxxxxxxxxxxxxxx>
Subject: [ossec-list] Indexing ossec alerts with Splunk
From: DrBob <drbob@xxxxxxxxxxxx>
Date: Fri, 13 Jul 2007 08:06:23 -0700

Since I use Splunk to index all my log files, I also wanted it to
generate alerts and reports of the ossec alerts.
Just do the following to make splunk recognize the multi-line alerts
of Ossec

In the file $SPLUNK_HOME/etc/bundles/local/props.conf add the below
definition.

[Ossec_Alerts]
#Appears in the typeahead for source_types
pulldown_type = true
# Combine several lines in 1 event
SHOULD_LINEMERGE = True
#Do not automatically find event boundaries
AUTO_LINEMERGE = False
#Break if and only if the line starts with the ** Alert
BREAK_ONLY_BEFORE = ^\*\*\sAlert

Then just add the ossec logs you want to index with splunk. I used
these ones
/var/ossec/logs/firewall/firewall.log
/var/ossec/logs/ossec.log
/var/ossec/logs/alerts/alerts.log
/var/ossec/logs/active-responses.log

Now I only wish that someone could create the needed fields and events
definitions in splunk so we can apply filters on the data within the
ossec alerts :-)

Prev by Date: [ossec-list] Scripts for use with cfengine & ossec
Next by Date: [ossec-list] Storing logs in a different location
Previous by thread: [ossec-list] Scripts for use with cfengine & ossec
Next by thread: [ossec-list] Storing logs in a different location
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.