Re: splunk and ossec

57 views
Skip to first unread message

Malik, Anita

unread,
Jul 20, 2017, 7:36:46 PM7/20/17
to ossec...@googlegroups.com
Hi there, I have implemented reporting and managing ossec application for Splunk. It works fine until I try using a custom index name for the ossec syslog in Splunk. I see the logs populating the custom index and I can do the search but the dashboards are empty, that integration seems to  break while using the custom index name. By default it seems to go in ‘main’, ‘default’ indexes in Splunk. Does any one have any ideas on how to make it to work with custom index name……thanks!!
Anita

Paul Southerington

unread,
Jul 20, 2017, 8:33:08 PM7/20/17
to ossec...@googlegroups.com
Those dashboards are keyed of of an eventtype.  Modifying that eventtype is the easiest approach.

Either add the index to it through the GUI, or create a file at /opt/splunk/etc/apps/ossec/local/eventtypes.conf with the following:
     [ossec]
     search = index=ossec (sourcetype=ossec* NOT sourcetype=ossec_agent_control)

     (This is the same as the default setting, but adding the index explicitly - modify as needed).


Alternately, you can go into Access Controls and add the ossec index to the user role as one of the indexes that gets searched by default.

Or, you can modify the dashboard XML files themselves to point them at the right index explicitly.  Untested, but something like this would do it:
    cd /opt/splunk/etc/apps/ossec/
    mkdir -p local/data/ui/views
    cp default/data/ui/views local/data/ui/views
    cd local/data/ui/views
    for i in *.xml; do sed -i.bak "s/eventtype=ossec/index=ossec eventtype=ossec
    /opt/splunk/bin/splunk restart






On Thu, Jul 20, 2017 at 2:32 PM, Malik, Anita <Anita...@cengage.com> wrote:
Hi there, I have implemented reporting and managing ossec application for Splunk. It works fine until I try using a custom index name for the ossec syslog in Splunk. I see the logs populating the custom index and I can do the search but the dashboards are empty, that integration seems to  break while using the custom index name. By default it seems to go in ‘main’, ‘default’ indexes in Splunk. Does any one have any ideas on how to make it to work with custom index name……thanks!!
Anita

--

---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Malik, Anita

unread,
Jul 26, 2017, 10:27:07 AM7/26/17
to ossec...@googlegroups.com
I tried the first option of creating the event types.conf and it looks good, thanks for the help!!
Anita

To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages