We are using Splunk to Index OSSEC data by monitoring the alerts.log file which is also on the same server. Till now, we were using the "Reporting and Management for OSSEC" app and thus, sourcetype was set to "ossec_alerts".
Since this App is not CIM compatible, we had to install "Splunk Add-on for OSSEC" Add-on and change the sourcetype to "ossec". After this change, we lost all the original fields which were getting extracted based on the App. When we checked the transforms and props configuration file for the App, it has rules to account for both sourcetypes, which means after this change in sourcetype(from ossec_alerts -> ossec), both the App and the Add-on should function.
Has anyone else here worked with both App and add-on together? Are there further changes required so that both can see the data correctly and extract appropriate fields accordingly?
Our eventual goal is to have OSSEC data being used into Enterprise Security app, which is the reason "Splunk Add-on for OSSEC" has been installed.
If the goal is to use the OSSEC data as part of ES, what does the App give you that the add-on doesnt? Add-on is CIM compatible and renaming the sourcetypes would break add-on knowledge extraction.
Sorry cant speak for the app but just wondering about the above.
Main reason for using the APP are the built-in transforms and extractions for the OSSEC data, e.g. Signature, reporting_host. These did not work with the Add-on and a lot of our custom dashboards are built upon these fields.