I have been playing with OSSEC and Splunk.\u00a0 OSSEC is a Host based Intrusion Detection System (HIDS).\u00a0 Splunk is a log archiving and searching system.\u00a0 OSSEC is open source and is multiple platform.\u00a0 You can run it on Linux\/Unix and Windows.\u00a0 I am using OSSEC to forward Windows Event Logs to Splunk.\u00a0 Splunk makes the searching and correlation.\u00a0 Splunk can do WMI.\u00a0 This would be great since no agent would need to be installed.\u00a0 The problems is that if you have more than 30-50 systems, the amount time and traffic would cause issues.\u00a0 Using the OSSEC agent, I am able to push the event logs to the OSSEC server.\u00a0 From there the OSSEC server will upload to the Splunk server via Syslog.<\/p>\n
Right now I have the servers all talking but I do need to adjust a few things.\u00a0 Right now Splunk sees all the hosts as the OSSEC server.\u00a0 I believe I just need to tweak the fields.\u00a0 The question is how.<\/p>\n