Splunk® Supported Add-ons

Splunk Add-on for OSSEC

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Source types for the Splunk Add-on for OSSEC

The Splunk Add-on for OSSEC expects the source type ossec for all incoming alert event data. The add-on currently supports data from the following sources:

  • File Integrity Management (FIM) data
  • FTP data
  • su data
  • ssh data
  • Windows data, including audit and logon information

The following event types map the OSSEC data to the Splunk Common Information Model.

Source type Event type Description CIM data models
ossec ossec_alert All OSSEC data collected with this add-on maps to this event type.
ossec_file_integrity_monitoring OSSEC data with the field change_type set to "filesystem".
ossec_authentication OSSEC data with the field change_type set to "authentication". Authentication
ossec_alert_tagged Ossec rule id "11","501","504","510","512","533","555","1002","2502","5706" are mapped to this eventtype Alerts
ossec_endpoint_file_integrity_monitoring Ossec rule id "550","551","552","553","554","594","595","596" are mapped to this eventtype Endpoint
ossec_endpoint_service Ossec rule id "502","18103","18147" are mapped to this eventtype Endpoint
ossec_audit_change Ossec rules id "593","18145","2932","2933","2934","5303","5304","5555","5901","5902" are mapped to this event type Change
ossec_network_session_start Ossec rule id "11201" is mapped to this eventtype Network Sessions
ossec_network_session_end Ossec rule id "18153" & "18105" are mapped to this eventtype Endpoint
ossec_change Ossec rule ids "580","581","592" are mapped to this eventtype Change
ossec_authentication_privileged Ossec rule ids "5302","5403","5501" are mapped to this eventtype Authentication
Last modified on 21 July, 2021
PREVIOUS
Lookups for the Splunk Add-on for OSSEC
  NEXT
Troubleshoot the Splunk Add-on for OSSEC

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters