Configure your OSSEC server to send data to the Splunk Add-on for OSSEC
To enable the Splunk Add-on for OSSEC to collect data from your OSSEC server, you need to configure your OSSEC server to produce syslog output and push it to the data collection node of your Splunk platform installation, usually a universal forwarder. For more detailed information, see the OSSEC documentation: http://ossec-docs.readthedocs.org/en/latest/manual/output/syslog-output.html#enabling-syslog-output.
1. Navigate to the
etc folder in your OSSEC installation directory. For example,
2. Open your OSSEC configuration file,
3. Add the following code to the end of the file.
<syslog_output> <server></server> <port></port> <format></format> </syslog_output>
4. Inside the
<server> tags, enter the IP address of the data collection node of your Splunk platform installation, usually a universal forwarder.
5. Inside the
<port> tags, enter the UDP port number listening for data. The default is 9521.
6. Inside the
<format> tags, enter
Note: Splunk recommends sending syslog data in the default format rather than the "splunk" format, because the Splunk Add-on for OSSEC is designed to recognize and map more data from the default format. Using the splunk format for syslog data is also supported for most event data, but authentication events cannot be mapped to the CIM using this format. The add-on does not support CEF and json formats for any OSSEC data.
7. Save the file.
8. Restart OSSEC.
Next, configure your data collection node to receive data on the matching port configured in your OSSEC configuration file.
Upgrade the Splunk Add-on for OSSEC
Configure inputs for the Splunk Add-on for OSSEC
This documentation applies to the following versions of Splunk® Supported Add-ons: released