Here are some notes about Splunk ( www.splunk.com ) usage.
All the relevant documentation is here.
1. Splunk and Ossec
Splunk for OSSEC is available here
To avoid recurrent noisy messages, like this one,
Set privileges to allow the user access to OSSEC, or add the following lines to /etc/sudoers:
splunk ALL = NOPASSWD: /var/ossec/bin/agent_control -l splunk ALL = NOPASSWD: /var/ossec/bin/manage_agent
2. Purge Splunk
/opt/splunk/bin/splunk clean all
/opt/splunk/bin/splunk clean eventdata
Go to /opt/splunk/etc/ and check the .license files.
4. Monitor only one directory (not including sub-folders)
5. How to delete
To use the delete operator, run a search that returns the events you want deleted. Make sure that this search returns ONLY events you want to delete, and no other events.
For example, if you want to remove the events you’ve indexed from a source called /fflanda/incoming/cheese.log so that they no longer appear in searches, do the following:
1. Disable or remove that source so that it no longer gets indexed.
2. Search for events from that source in your index:
3. Look at the results to confirm that this is the data you want to delete.
4. Once you’ve confirmed that this is the data you want to delete, pipe the search to delete:
source="/fflanda/incoming/cheese.log" | delete