Splunk® Supported Add-ons

Splunk Add-on for OSSEC

Download manual as PDF

Download topic as PDF

Configure inputs for the Splunk Add-on for OSSEC

The Splunk Add-on for OSSEC handles inputs through UDP. Match the input configuration in your Splunk platform's data collection node to the port that you configured in your OSSEC configuration file. If you have not yet done this, follow the instructions in "Configure your OSSEC server to send data to the Splunk Add-on for OSSEC".

In the Splunk platform node handling data collection, configure the UDP input to match your configurations in OSSEC and set your source type to ossec. The CIM mapping and dashboard panels are dependent on this source type.

For information on how to configure a Splunk forwarder or single-instance to receive a syslog input, see "Get data from TCP and UDP ports" in the Getting Data In manual. Once you have configured the input, run this search to check that you are ingesting the data that you expect.

sourcetype = ossec

Last modified on 23 September, 2016
PREVIOUS
Configure your OSSEC server to send data to the Splunk Add-on for OSSEC
  NEXT
Lookups for the Splunk Add-on for OSSEC

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters