Thanks to Michael Wilde for the information on RegEx in Splunk.  For those like me who aren’t the best at RegEx, I will show some of the regular expressions I am using for OSSEC.

Server Name
(?i) Location:s((?P<FIELDNAME>.*?))s

Windows Event User
(?i) USER: (?P<FIELDNAME>[^:]*);

Server IP
(?i)^[^)]*)s+(?P<FIELDNAME>[^-]*)-

Windows Events
(?i)^[^-]*-s+(?P<FIELDNAME>[^.]*).

LogInUser
(?i) Name: (?P<FIELDNAME>w+)

LogInDomain
(?i) Domain: (?P<FIELDNAME>[^ ]*)[ ]

******************************************************

Now, to add them…

Open your browser and login in to your Splunk server.  In the Search application, type sourcetype=”ossec”

or click on “ossec” in the Sourcetypes

You should see a bunch of data from the OSSEC server.  On the left of the main frame of the webpage, there should be a grey down arrow.  Clicking on this I get two options.  You want to select  Extract Fields.

Here is where it gets fun.  Splunk included a graphical RegEx builder based on examples.  I ended up playing with this for a while.  Once you have found the expression you like, click on the Save button.

Name your RegEx and click Save.

Restart your Splunk server.
Once restarted, on the main search page, on the left sidebar click on Pick fields.

Here you can select the fields that will be displayed on the search page.

When you get back to the search page, you will notice the new fields.