Configure inputs for the Splunk Add-on for OSSEC
The Splunk Add-on for OSSEC handles inputs through UDP. Match the input configuration in your Splunk platform's data collection node to the port that you configured in your OSSEC configuration file. If you have not yet done this, follow the instructions in "Configure your OSSEC server to send data to the Splunk Add-on for OSSEC".
In the Splunk platform node handling data collection, configure the UDP input to match your configurations in OSSEC and set your source type to
ossec. The CIM mapping and dashboard panels are dependent on this source type.
For information on how to configure a Splunk forwarder or single-instance to receive a syslog input, see "Get data from TCP and UDP ports" in the Getting Data In manual. Once you have configured the input, run this search to check that you are ingesting the data that you expect.
sourcetype = ossec
Configure your OSSEC server to send data to the Splunk Add-on for OSSEC
Lookups for the Splunk Add-on for OSSEC
This documentation applies to the following versions of Splunk® Supported Add-ons: released