Source types for the Splunk Add-on for OSSEC
The Splunk Add-on for OSSEC expects the source type ossec for all incoming alert event data. The add-on currently supports data from the following sources:
- File Integrity Management (FIM) data
- FTP data
- su data
- ssh data
- Windows data, including audit and logon information
The following event types map the OSSEC data to the Splunk Common Information Model.
| Source type | Event type | Description | CIM data models |
|---|---|---|---|
ossec
|
ossec_alert
|
All OSSEC data collected with this add-on maps to this event type. | |
ossec_file_integrity_monitoring
|
OSSEC data with the field change_type set to "filesystem".
|
||
ossec_authentication
|
OSSEC data with the field change_type set to "authentication".
|
Authentication | |
ossec_alert_tagged
|
Ossec rule id "11","501","504","510","512","533","555","1002","2502","5706" are mapped to this eventtype | Alerts | |
ossec_endpoint_file_integrity_monitoring
|
Ossec rule id "550","551","552","553","554","594","595","596" are mapped to this eventtype | Endpoint | |
ossec_endpoint_service
|
Ossec rule id "502","18103","18147" are mapped to this eventtype | Endpoint | |
ossec_audit_change
|
Ossec rules id "593","18145","2932","2933","2934","5303","5304","5555","5901","5902" are mapped to this event type | Change | |
ossec_network_session_start
|
Ossec rule id "11201" is mapped to this eventtype | Network Sessions | |
ossec_network_session_end
|
Ossec rule id "18153" & "18105" are mapped to this eventtype | Endpoint | |
ossec_change
|
Ossec rule ids "580","581","592" are mapped to this eventtype | Change | |
ossec_authentication_privileged
|
Ossec rule ids "5302","5403","5501" are mapped to this eventtype | Authentication |
Last modified on 21 July, 2021
| Lookups for the Splunk Add-on for OSSEC | Troubleshoot the Splunk Add-on for OSSEC |
This documentation applies to the following versions of Splunk® Supported Add-ons: released
Download manual
Feedback submitted, thanks!