All Apps and Add-ons

Can "Splunk Add-on for OSSEC" and "Reporting and Management for OSSEC" App work together?

att35
Builder

Hi,

We are using Splunk to Index OSSEC data by monitoring the alerts.log file which is also on the same server. Till now, we were using the "Reporting and Management for OSSEC" app and thus, sourcetype was set to "ossec_alerts".

Since this App is not CIM compatible, we had to install "Splunk Add-on for OSSEC" Add-on and change the sourcetype to "ossec". After this change, we lost all the original fields which were getting extracted based on the App. When we checked the transforms and props configuration file for the App, it has rules to account for both sourcetypes, which means after this change in sourcetype(from ossec_alerts -> ossec), both the App and the Add-on should function.

Has anyone else here worked with both App and add-on together? Are there further changes required so that both can see the data correctly and extract appropriate fields accordingly?

Our eventual goal is to have OSSEC data being used into Enterprise Security app, which is the reason "Splunk Add-on for OSSEC" has been installed.

Thanks,

~ Abhi

0 Karma

ehaddad_splunk
Splunk Employee
Splunk Employee

Hi
If the goal is to use the OSSEC data as part of ES, what does the App give you that the add-on doesnt? Add-on is CIM compatible and renaming the sourcetypes would break add-on knowledge extraction.
Sorry cant speak for the app but just wondering about the above.

0 Karma

att35
Builder

Main reason for using the APP are the built-in transforms and extractions for the OSSEC data, e.g. Signature, reporting_host. These did not work with the Add-on and a lot of our custom dashboards are built upon these fields.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...