Splunk® Supported Add-ons

Splunk Add-on for OSSEC

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Lookups for the Splunk Add-on for OSSEC

Action lookup

The action lookup maps the signature_id field to CIM-compliant action, status, and change_type values.

  • File location: $SPLUNK_HOME/etc/apps/Splunk_TA_ossec/lookups/ossec_action_lookup.csv
  • Lookup fields: signature_id,action,status,change_type

Lookup sample contents:

signature_id action status change_type
550 modified success filesystem
551 modified success filesystem
552 modified success filesystem
55 deleted success filesystem
554 created success filesystem
555 modified success filesystem
580 modified success host_information
581 created success host_information
591 modified success filesystem
592 modified success filesystem
593 cleared success filesystem
594 modified success filesystem
595 modified success filesystem
596 modified success filesystem
597 deleted success filesystem
598 created success filesystem
5302 failure
5303 modified success AAA
5304 modified success AAA
5402 success authentication
5502 success authentication
5503 failure authentication
5715 success authentication
5716 failure authentication
18106 failure authentication
18107 success authentication
18149 success authentication
18130 failure authentication
5710 failure authentication
5557 failure authentication
10100 success authentication
5405 failure authentication
11205 success authentication
18105 blocked
18153 blocked
502 started started
2932 modified success configs
2933 modified success configs
2934 deleted success configs
5501 success
11201 added
5555 modified success AAA
5901 created success AAA
5902 created success AAA
5403 success
18145 modified success service
18103 stopped failure
1814 started

Object category lookup

The lookup maps the signature_id field to a CIM-compliant object_category value.

  • File location: $SPLUNK_HOME/etc/apps/Splunk_TA_ossec/lookups/ossec_object_category_lookup.csv
  • Lookup fields: signature_id,object_category

Lookup sample contents:

signature_id object_category
550 file
551 file
552 file
553 file
554 file
555 host_info
580 port
581 host_info
591 file
592 file
593 win_event_log
594 registry
595 registry
596 registry
597 registry
598 registry
2932 package
2933 package
2934 package
5304 user
5555 user
5901 group
5902 user
18145 policy

Severities lookup

The severities lookup maps the severity_id field to a CIM-compliant severity value.

  • File location: $SPLUNK_HOME/etc/apps/Splunk_TA_ossec/lookups/ossec_severities_lookup.csv
  • Lookup fields: severity_id,severity

Lookup sample contents:

severity_id severity
0 informational
1 informational
2 informational
3 informational
4 low
5 low
6 low
7 low
8 low
9 medium
10 medium
11 medium
12 high
13 high
14 high
15 critical
Last modified on 21 July, 2021
PREVIOUS
Configure inputs using Splunk Connect for Syslog
  NEXT
Source types for the Splunk Add-on for OSSEC

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters