Splunk® Supported Add-ons

Splunk Add-on for OSSEC

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Configure your OSSEC server to send data to the Splunk Add-on for OSSEC

To enable the Splunk Add-on for OSSEC to collect data from your OSSEC server, you need to configure your OSSEC server to produce syslog output and push it to the data collection node of your Splunk platform installation, usually a universal forwarder. For more detailed information, see the OSSEC documentation: https://www.ossec.net/docs/docs/manual/output/syslog-output.html.

1. Navigate to the etc folder in your OSSEC installation directory. For example, /var/ossec/etc.

2. Open your OSSEC configuration file, ossec.conf.

3. Add the following code to the end of the file.

<syslog_output>
  <server></server>
  <port></port>
  <format></format>
</syslog_output>

4. Inside the <server> tags, enter the IP address of the data collection node of your Splunk platform installation, usually a universal forwarder.

5. Inside the <port> tags, enter the UDP port number listening for data. The default is 9521.

6. Inside the <format> tags, enter default.

Note: Splunk recommends sending syslog data in the default format rather than the "splunk" format, because the Splunk Add-on for OSSEC is designed to recognize and map more data from the default format. Using the splunk format for syslog data is also supported for most event data, but authentication events cannot be mapped to the CIM using this format. The add-on does not support CEF and json formats for any OSSEC data.

7. Save the file.

8. Restart OSSEC.

Next, configure your data collection node to receive data on the matching port configured in your OSSEC configuration file.

Last modified on 21 July, 2021
PREVIOUS
Install the Splunk Add-on for OSSEC
  NEXT
Configure inputs using Splunk Connect for Syslog

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters