Splunk® Supported Add-ons

Splunk Add-on for OSSEC

Configure inputs using Splunk Connect for Syslog

Splunk recommends that you use Splunk Connect for Syslog (SC4S) to collect data. To collect data using SC4S, follow the steps described in https://splunk.github.io/splunk-connect-for-syslog/main/sources/vendor/Ossec/ossec/

Configure inputs in Splunk Add-on for OSSEC

The Splunk Add-on for OSSEC handles inputs through UDP. Match the input configuration in your Splunk platform's data collection node to the port that you configured in your OSSEC configuration file. For instructions, see Configure your OSSEC server to send data to the Splunk Add-on for OSSEC.

In the Splunk platform node handling data collection, configure the UDP input to match your configurations in OSSEC and set your source type to ossec. The CIM mapping is dependent on this source type.

For information on how to configure a Splunk forwarder or single-instance to receive a syslog input, see "Get data from TCP and UDP ports" in the Getting Data In manual.


Once the inputs are configured try executing the command

sourcetype = ossec

Last modified on 01 June, 2022
Configure your OSSEC server to send data to the Splunk Add-on for OSSEC   Lookups for the Splunk Add-on for OSSEC

This documentation applies to the following versions of Splunk® Supported Add-ons: released

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters