Configure inputs using Splunk Connect for Syslog
Splunk recommends that you use Splunk Connect for Syslog (SC4S) to collect data. To collect data using SC4S, follow the steps described in https://splunk-connect-for-syslog.readthedocs.io/en/master/sources/Ossec/.
Configure inputs in Splunk Add-on for OSSEC
The Splunk Add-on for OSSEC handles inputs through UDP. Match the input configuration in your Splunk platform's data collection node to the port that you configured in your OSSEC configuration file. For instructions, see Configure your OSSEC server to send data to the Splunk Add-on for OSSEC.
In the Splunk platform node handling data collection, configure the UDP input to match your configurations in OSSEC and set your source type to
ossec. The CIM mapping is dependent on this source type.
For information on how to configure a Splunk forwarder or single-instance to receive a syslog input, see "Get data from TCP and UDP ports" in the Getting Data In manual.
Once the inputs are configured try executing the command
sourcetype = ossec
Configure your OSSEC server to send data to the Splunk Add-on for OSSEC
Lookups for the Splunk Add-on for OSSEC
This documentation applies to the following versions of Splunk® Supported Add-ons: released