Creating your own Splunk> field using regex

Regular expressions are fairly easy to use and manipulate when searching through a series of data. I ingest all of my OSSEC alerts into Splunk and can search and drill down into the data with a click of a button. However, I thought it would be neat to build my own Splunk 'Field' using a regex (regular expression) based on the OSSEC Rule and the correlated event that occured on my systems. Then build a Splunk report on the data every 24hrs. The process is simple:

Create the Search --> Save the Search --> Build a Report

Create the Search
- Search path field in Splunk>




(This will search through all the data in your indexes and build a custom"OSSEC_RULE" field within your search criteria. The OSSEC_RULE field will specify each reported "Rule: ????" from your OSSEC alerts)

- Select "Last 24 hours" from time line drop down menu

- Click the green arrow to perform your search!

- When the alerts start building into your page you will notice the "OSSEC_RULE" field on the left hand side of your Splunk Search page, along with the other fields.

- If it is not there, click on the "All ??? fields" link, locate the OSSEC_RULE field, click on the green arrow to add it to your "Selected fields" and click the "Save" button. Now you should see the OSSEC_RULE field on the left hand side. If you still don't see it, check and make sure search criteria is correct.


Save the Search
- Now click on "Save search" located on the top right of the Splunk Search page

- Create a custom Name, Description, Time range and click the "Schedule this search" check box, then click the Save button


Build a Report
- Now click on "Build report" located next to the Save Search link

- Click the "Define report data through a form" link

- Select 24hrs from the Time Range dropdown menu, then click the Next button to format the report

- In the Report type drop down menu select "Rare values"

- Now select "OSSEC_RULE" from the drop down menu for the specific Field to use for the report

- Click the "Next Step" button to format the report
(Check out all of the OSSEC Rules that were found in your Splunk system...kind of cool)

- Choose the Chart type, Chart title, click apply then click the "Save" button on the top menu

- Create a Name, Description, Time Range then click "Schedule this search".

- Select the Schedule Type alert conditions and actions, then click Save

- Now you will be able to add this report to your dashboard or based on the action you select, run a script when a condition is met or email the report

Simple as pie!

HTPC made simple with Element 1.0

ElementOS
Element v1.0 is a linux-based operating system (based on Ubuntu) for you Home Theater PC (HTPC) featuring a ten-foot user interface that is designed to be connected to your HDTV for a digital media and internet experience within the comforts of your own living room or entertainment area. I recently evaluated the product to see if was suitable enough for the average home PC user. You can get the latest Element OS from http://www.elementmypc.com. Version 1.0 comes with many different home PC features to help you manage internet media, games, music, video and photos.

The built-in media center application is XBMC (Xbox media center). However, you can download and install other media center apps like Boxee, Moovida and Hulu. These applications can also be downloaded from the element web site. Element provides its users with a full fledged computing and home entertainment experience. After evaluating the product I wouldn't see it being to difficult for the average PC user to figure out. I could also see myself replacing my cable and DVD boxes at home with a new HTPC.

How To Set it up
I used a Virtual environment to install/test the Element OS. I was pretty surprised how well it ran with a 10GB hard drive, single processor and 1024mb of memory. However, I would not recommend this for an official HTPC. You can find the minimum/recommended requirements for running Element on their website.

1.) I downloaded the Element v1.0 iso image (Live CD) from the Element website

2.) Then built my virtual machine using VMware Player v3.0
- 32bit Ubuntu
- 1024 mb
- 10 GB hard drive
- Host-only network (will allow you to get out on the Internet from your Host computer)

3.) After configuration was complete I setup my virtual machine to boot from the iso image I just downloaded

4.) Then log in to Element using username "element" with no password

5.) Then install the Element operating system to the virtual machine's hard drive.
- Click the File Manager launcher on your center bar and then click the Install Element icon.

- This will walk you through the installation process

6.) Now install VMware tools so you can optimize your virtual machines performance

7.) In the virtual machine window, click "VM" and "Install VMware Tools"
- follow the install instructions
- reboot your virtual machine

8.) Now configure your display, click on the Element "Application Finder" in the top left hand part of your screen

9.) Click on the "Settings" radio button then double-click "Display"
- optimal 1262x658
- logout then log back in or reboot

10.) Now you are ready to install some other media desktop apps, surf the web or do what ever! You could even try connecting it to your TV using a converter for AV inputs or HDMI.

References

-User Forum
http://www.getsatisfaction.com/elementos/topics

- Official web site
http://www.elementmypc.com/main/mainpage