Splunk® Supported Add-ons

Splunk Add-on for OSSEC

Download manual as PDF

Download topic as PDF

Lookups for the Splunk Add-on for OSSEC

Action lookup

The action lookup maps the signature_id field to CIM-compliant action, status, and change_type values.

  • File location: $SPLUNK_HOME/etc/apps/Splunk_TA_ossec/lookups/ossec_action_lookup.csv
  • Lookup fields: signature_id,action,status,change_type
  • Lookup sample contents:
    signature_id,action,status,change_type
    550,modified,success,filesystem
    551,modified,success,filesystem
    552,modified,success,filesystem
    553,deleted,success,filesystem
    554,created,success,filesystem
    555,modified,success,filesystem
    580,modified,success,filesystem
    581,created,success,filesystem
    591,modified,success,filesystem
    592,modified,success,filesystem
    593,deleted,success,filesystem
    594,modified,success,filesystem
    595,modified,success,filesystem
    596,modified,success,filesystem
    597,deleted,success,filesystem
    598,created,success,filesystem
    5303,success,,authentication
    5304,success,,authentication
    5402,success,,authentication
    5503,failure,,authentication
    5715,success,,authentication
    5716,failure,,authentication
    18107,success,,authentication
    18149,success,,authentication
    

Object category lookup

The lookup maps the signature_id field to a CIM-compliant object_category value.

  • File location: $SPLUNK_HOME/etc/apps/Splunk_TA_ossec/lookups/ossec_object_category_lookup.csv
  • Lookup fields: signature_id,object_category
  • Lookup sample contents:
    signature_id,object_category
    550,file
    551,file
    552,file
    553,file
    554,file
    555,host_info
    580,host_info
    581,host_info
    591,file
    592,file
    593,win_event_log
    594,registry
    595,registry
    596,registry
    597,registry
    598,registry
    

Severities lookup

The severities lookup maps the severity_id field to a CIM-compliant severity value.

  • File location: $SPLUNK_HOME/etc/apps/Splunk_TA_ossec/lookups/ossec_severities_lookup.csv
  • Lookup fields: severity_id,severity
  • Lookup sample contents:
    severity_id,severity
    0,informational
    1,informational
    2,informational
    3,informational
    4,low
    5,low
    6,low
    7,low
    8,low
    9,medium
    10,medium
    11,medium
    12,high
    13,high
    14,high
    15,critical
    
Last modified on 30 August, 2018
PREVIOUS
Configure inputs for the Splunk Add-on for OSSEC
  NEXT
Troubleshoot the Splunk Add-on for OSSEC

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters