From Splunk Wiki
Index Tripwire logs
Tripwire is a host based IDS that runs on mulitple platforms. In our installation we ran Tripwire on RHEL 5, HP-UX 11, and Windows 2003. For the most part Tripwire keeps logs with its own database model. Splunk was unable to reach those logs in the Oracle datastore. As a work around we install Splunk light forwarder on the Windows box that was running the Tripwire Console and configured Tripwire to export its logs every hour. You can configure Tripwire to dump its logs every hour under the "Task" menu of the web console. There is a default "Archive Log Messages" task you will just need to modify the run time from the default of a month to hourly.
Splunk light forwarder (inputs.conf) was configured to monitor the default tripwire log export directory:
disabled = false
_whitelist = \.xml$
sourcetype = tripwire_audit
Splunk index server (props.conf) was configured to break up the events by XML bracket statements and look for proper timestamp.
MUST_NOT_BREAK_AFTER = <LogMessage[^s]
MUST_BREAK_AFTER = </LogMessage>
MAX_TIMESTAMP_LOOKAHEAD = 170
TIME_PREFIX = /<Timestamp displayvalue="([0-9]|1[0-2])\/([0-9]|[1-3][0-9])\/[0-9][0-9]\s(1[0-2]|[0-9])\:[0-9][0-9]\s[AP]M">/g
TZ = UTC
Jasonnadeau 06:47, 20 July 2009 (PDT)