Splunk® Supported Add-ons

Splunk Add-on for OSSEC

Download manual as PDF

Download topic as PDF

Configure your OSSEC server to send data to the Splunk Add-on for OSSEC

To enable the Splunk Add-on for OSSEC to collect data from your OSSEC server, you need to configure your OSSEC server to produce syslog output and push it to the data collection node of your Splunk platform installation, usually a universal forwarder. For more detailed information, see the OSSEC documentation: http://ossec-docs.readthedocs.org/en/latest/manual/output/syslog-output.html#enabling-syslog-output.

1. Navigate to the etc folder in your OSSEC installation directory. For example, /var/ossec/etc.

2. Open your OSSEC configuration file, ossec.conf.

3. Add the following code to the end of the file.

<syslog_output>
  <server></server>
  <port></port>
  <format></format>
</syslog_output>

4. Inside the <server> tags, enter the IP address of the data collection node of your Splunk platform installation, usually a universal forwarder.

5. Inside the <port> tags, enter the UDP port number listening for data. The default is 9521.

6. Inside the <format> tags, enter default.

Note: Splunk recommends sending syslog data in the default format rather than the "splunk" format, because the Splunk Add-on for OSSEC is designed to recognize and map more data from the default format. Using the splunk format for syslog data is also supported for most event data, but authentication events cannot be mapped to the CIM using this format. The add-on does not support CEF and json formats for any OSSEC data.

7. Save the file.

8. Restart OSSEC.

Next, configure your data collection node to receive data on the matching port configured in your OSSEC configuration file.

Last modified on 23 September, 2016
PREVIOUS
Upgrade the Splunk Add-on for OSSEC
  NEXT
Configure inputs for the Splunk Add-on for OSSEC

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters