I have been playing with OSSEC and Splunk. OSSEC is a Host based Intrusion Detection System (HIDS). Splunk is a log archiving and searching system. OSSEC is open source and is multiple platform. You can run it on Linux/Unix and Windows. I am using OSSEC to forward Windows Event Logs to Splunk. Splunk makes the searching and correlation. Splunk can do WMI. This would be great since no agent would need to be installed. The problems is that if you have more than 30-50 systems, the amount time and traffic would cause issues. Using the OSSEC agent, I am able to push the event logs to the OSSEC server. From there the OSSEC server will upload to the Splunk server via Syslog.
Right now I have the servers all talking but I do need to adjust a few things. Right now Splunk sees all the hosts as the OSSEC server. I believe I just need to tweak the fields. The question is how.
Splunk
http://www.splunk.com
OSSEC
http://www.ossec.net
Anthony. Next to each event, right below the timestamp is an “Extract Fields” link. Its a nice little wizard that helps you pick out things you’d like to be fields and it writes the REGEX for you. You give it samples, it builds the field extraction.
Check it out. I’m a regex ninja and i don’t need most of my skills anymore.
Michael Wilde
Splunk Ninja
twitter: @michaelwilde