Hi,
We are using Splunk to Index OSSEC data by monitoring the alerts.log file which is also on the same server. Till now, we were using the "Reporting and Management for OSSEC" app and thus, sourcetype was set to "ossec_alerts".
Since this App is not CIM compatible, we had to install "Splunk Add-on for OSSEC" Add-on and change the sourcetype to "ossec". After this change, we lost all the original fields which were getting extracted based on the App. When we checked the transforms and props configuration file for the App, it has rules to account for both sourcetypes, which means after this change in sourcetype(from ossec_alerts -> ossec), both the App and the Add-on should function.
Has anyone else here worked with both App and add-on together? Are there further changes required so that both can see the data correctly and extract appropriate fields accordingly?
Our eventual goal is to have OSSEC data being used into Enterprise Security app, which is the reason "Splunk Add-on for OSSEC" has been installed.
Thanks,
~ Abhi
↧