All Apps and Add-ons

Can "Splunk Add-on for OSSEC" and "Reporting and Management for OSSEC" App work together?



We are using Splunk to Index OSSEC data by monitoring the alerts.log file which is also on the same server. Till now, we were using the "Reporting and Management for OSSEC" app and thus, sourcetype was set to "ossec_alerts".

Since this App is not CIM compatible, we had to install "Splunk Add-on for OSSEC" Add-on and change the sourcetype to "ossec". After this change, we lost all the original fields which were getting extracted based on the App. When we checked the transforms and props configuration file for the App, it has rules to account for both sourcetypes, which means after this change in sourcetype(from ossec_alerts -> ossec), both the App and the Add-on should function.

Has anyone else here worked with both App and add-on together? Are there further changes required so that both can see the data correctly and extract appropriate fields accordingly?

Our eventual goal is to have OSSEC data being used into Enterprise Security app, which is the reason "Splunk Add-on for OSSEC" has been installed.


~ Abhi

0 Karma

Splunk Employee
Splunk Employee

If the goal is to use the OSSEC data as part of ES, what does the App give you that the add-on doesnt? Add-on is CIM compatible and renaming the sourcetypes would break add-on knowledge extraction.
Sorry cant speak for the app but just wondering about the above.

0 Karma


Main reason for using the APP are the built-in transforms and extractions for the OSSEC data, e.g. Signature, reporting_host. These did not work with the Add-on and a lot of our custom dashboards are built upon these fields.

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!