Hi,
We have Linux Audit log data coming in Via OSSEC into Splunk. For this data, source is set to "/var/ossec/logs/alerts/alerts.log" and sourcetype is "ossec_alerts". We are unable to see this data in Linux Audit app, probably because it does not understand "ossec_alerts" sourcetype.
To use this data into the Linux Audit App and Splunk ES, what is the best way to manage this sourcetype?
Is there any way to have splunk looks at data coming from source=/var/ossec/logs/alerts/alerts.log and change source type from ossec_alerts to linux:audit
Or should I add ossec_alerts as another accepted sourcetype under /TA_linux-auditd/default/props.conf.
[source::.../var/log/audit/audit.log(.\d+)?]
sourcetype = linux:audit
sourcetype = ossec_alerts
We would still like to keep rest of OSSEC data in it's original sourcetype, i.e. ossec_alerts. We have Deployed this app on both Indexer and the Search Head.
Many Thanks,
~ Abhi
↧