https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-OSSEC-Is-there-a-way-with-OSSEC-to-monitor/m-p/261205#M30104 <P>Hello,</P> <P>Is there a way with OSSEC to monitor when software is being installed?</P> Fri, 02 Dec 2016 08:02:54 GMT nickbijmoer 2016-12-02T08:02:54Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-OSSEC-Is-there-a-way-with-OSSEC-to-monitor/m-p/261205#M30104 <P>Hello,</P> <P>Is there a way with OSSEC to monitor when software is being installed?</P> Fri, 02 Dec 2016 08:02:54 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-OSSEC-Is-there-a-way-with-OSSEC-to-monitor/m-p/261205#M30104 nickbijmoer 2016-12-02T08:02:54Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-OSSEC-Is-there-a-way-with-OSSEC-to-monitor/m-p/261206#M30105 <P>@nickbijmoer - Are you using the <A href="https://splunkbase.splunk.com/app/2808/">Splunk Add-on for OSSEC</A>? I just want to make sure your post is tagged correctly. Thank you.</P> Fri, 02 Dec 2016 23:55:33 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-OSSEC-Is-there-a-way-with-OSSEC-to-monitor/m-p/261206#M30105 aaraneta_splunk 2016-12-02T23:55:33Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-OSSEC-Is-there-a-way-with-OSSEC-to-monitor/m-p/261207#M30106 <P>@aaraneta, Yes I use the splunk add-on for ossec. </P> Mon, 05 Dec 2016 08:29:14 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-OSSEC-Is-there-a-way-with-OSSEC-to-monitor/m-p/261207#M30106 nickbijmoer 2016-12-05T08:29:14Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-OSSEC-Is-there-a-way-with-OSSEC-to-monitor/m-p/261208#M30107 <P>If you are looking to integrate w ES, the ossec_file_integrity_monitoring source type maps to change analysis and the ossec_alert maps to alert data model. </P> <P>You could adapt some of the existing correlation searches that use change analysis to fit this need or use the guided search to build a correlation search. You will want to think about how often you want to be alerted to these changes and if there is a certain threshold you would want to set. </P> Tue, 29 Sep 2020 11:58:40 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-OSSEC-Is-there-a-way-with-OSSEC-to-monitor/m-p/261208#M30107 jstoner_splunk 2020-09-29T11:58:40Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-OSSEC-Is-there-a-way-with-OSSEC-to-monitor/m-p/261209#M30108 <P>Im trying to integrate it in Splunk enterprise, since we dont have enterprise security here, is it also possible on enterprise edition?</P> Tue, 06 Dec 2016 08:46:13 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-OSSEC-Is-there-a-way-with-OSSEC-to-monitor/m-p/261209#M30108 nickbijmoer 2016-12-06T08:46:13Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-OSSEC-Is-there-a-way-with-OSSEC-to-monitor/m-p/261210#M30109 <P>Yes. You can use the common information model and and the associated TA on splunkbase <A href="https://splunkbase.splunk.com/app/2808/">https://splunkbase.splunk.com/app/2808/</A> and build a datamodel search using the change analysis data model or you can just take the ossec data in and then build some searches based on what you see.</P> Tue, 06 Dec 2016 15:00:39 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-OSSEC-Is-there-a-way-with-OSSEC-to-monitor/m-p/261210#M30109 jstoner_splunk 2016-12-06T15:00:39Z