Install the Splunk Add-on for OSSEC
- Get the Splunk Add-on for Ossec by downloading it from Splunkbase or browsing to it using the app browser within Splunk Web.
- Determine where and how to install this add-on in your deployment, using the following tables on this page.
- Perform any prerequisite steps before installing, if required and specified in the following tables.
- Complete your installation.
See installation walkthroughs for links to installation instructions specific to a single-instance deployment, distributed deployment, or Splunk Cloud.
Distributed deployment
Use the tables in this topic to determine where and how to install this add-on in a distributed deployment of Splunk Enterprise or any deployment for which you are using forwarders to get your data in. Depending on your environment, your preferences, and the requirements of the add-on, you may need to install the add-on in multiple places.
Where to install this add-on
Unless otherwise noted, all supported add-ons can be safely installed to all tiers of a distributed Splunk platform deployment. See Where to install Splunk add-ons in Splunk Add-ons for more information.
This table provides a reference for installing this specific add-on to a distributed deployment of the Splunk platform.
Splunk platform component type | Supported | Required | Actions required / Comments |
---|---|---|---|
Search Heads | Yes | Yes | Install this add-on to all search heads where Ossec knowledge management is required.
As a best practice, turn add-on visibility off on your search heads to prevent data duplication errors that can result from running inputs on your search heads instead of or in addition to your data collection node. |
Indexers | Yes | Conditional | Not required if you use heavy forwarders to collect data. Required if you use universal forwarders to collect data. |
Heavy Forwarders | Yes | No | This add-on supports forwarders of any type for data collection. |
Universal Forwarders | Yes | No |
Installation walkthrough
Refer to Installing add-ons for detailed instructions describing how to install a Splunk add-on in the following deployment scenarios:
This documentation applies to the following versions of Splunk® Supported Add-ons: released
Feedback submitted, thanks!