Lookups for the Splunk Add-on for OSSEC
Action lookup
The action lookup maps the signature_id field to CIM-compliant action, status, and change_type values.
- File location:
$SPLUNK_HOME/etc/apps/Splunk_TA_ossec/lookups/ossec_action_lookup.csv - Lookup fields:
signature_id,action,status,change_type
Lookup sample contents:
| signature_id | action | status | change_type |
|---|---|---|---|
| 550 | modified | success | filesystem |
| 551 | modified | success | filesystem |
| 552 | modified | success | filesystem |
| 55 | deleted | success | filesystem |
| 554 | created | success | filesystem |
| 555 | modified | success | filesystem |
| 580 | modified | success | host_information |
| 581 | created | success | host_information |
| 591 | modified | success | filesystem |
| 592 | modified | success | filesystem |
| 593 | cleared | success | filesystem |
| 594 | modified | success | filesystem |
| 595 | modified | success | filesystem |
| 596 | modified | success | filesystem |
| 597 | deleted | success | filesystem |
| 598 | created | success | filesystem |
| 5302 | failure | ||
| 5303 | modified | success | AAA |
| 5304 | modified | success | AAA |
| 5402 | success | authentication | |
| 5502 | success | authentication | |
| 5503 | failure | authentication | |
| 5715 | success | authentication | |
| 5716 | failure | authentication | |
| 18106 | failure | authentication | |
| 18107 | success | authentication | |
| 18149 | success | authentication | |
| 18130 | failure | authentication | |
| 5710 | failure | authentication | |
| 5557 | failure | authentication | |
| 10100 | success | authentication | |
| 5405 | failure | authentication | |
| 11205 | success | authentication | |
| 18105 | blocked | ||
| 18153 | blocked | ||
| 502 | started | started | |
| 2932 | modified | success | configs |
| 2933 | modified | success | configs |
| 2934 | deleted | success | configs |
| 5501 | success | ||
| 11201 | added | ||
| 5555 | modified | success | AAA |
| 5901 | created | success | AAA |
| 5902 | created | success | AAA |
| 5403 | success | ||
| 18145 | modified | success | service |
| 18103 | stopped | failure | |
| 1814 | started |
Object category lookup
The lookup maps the signature_id field to a CIM-compliant object_category value.
- File location:
$SPLUNK_HOME/etc/apps/Splunk_TA_ossec/lookups/ossec_object_category_lookup.csv - Lookup fields:
signature_id,object_category
Lookup sample contents:
| signature_id | object_category |
|---|---|
| 550 | file |
| 551 | file |
| 552 | file |
| 553 | file |
| 554 | file |
| 555 | host_info |
| 580 | port |
| 581 | host_info |
| 591 | file |
| 592 | file |
| 593 | win_event_log |
| 594 | registry |
| 595 | registry |
| 596 | registry |
| 597 | registry |
| 598 | registry |
| 2932 | package |
| 2933 | package |
| 2934 | package |
| 5304 | user |
| 5555 | user |
| 5901 | group |
| 5902 | user |
| 18145 | policy |
Severities lookup
The severities lookup maps the severity_id field to a CIM-compliant severity value.
- File location:
$SPLUNK_HOME/etc/apps/Splunk_TA_ossec/lookups/ossec_severities_lookup.csv - Lookup fields:
severity_id,severity
Lookup sample contents:
| severity_id | severity |
|---|---|
| 0 | informational |
| 1 | informational |
| 2 | informational |
| 3 | informational |
| 4 | low |
| 5 | low |
| 6 | low |
| 7 | low |
| 8 | low |
| 9 | medium |
| 10 | medium |
| 11 | medium |
| 12 | high |
| 13 | high |
| 14 | high |
| 15 | critical |
Last modified on 21 July, 2021
| Configure inputs using Splunk Connect for Syslog | Source types for the Splunk Add-on for OSSEC |
This documentation applies to the following versions of Splunk® Supported Add-ons: released
Download manual
Feedback submitted, thanks!