How to configure the Wazuh app to get data into Sp...

TheBeaker · ‎08-16-2018

We have just started testing out Wazuh in our lab, and wanted to get that data Splunk'd.

It looks like the Wazuh App has a configuration entry for the Wazuh manager's API credentials. But the guide also states that a Forwarder be installed on the Wazuh manager:

https://documentation.wazuh.com/current/installation-guide/installing-splunk/splunk_forwarder.html

That seems redundant. Before I tear apart the bits to see how it works, can somebody clear this up for me?

Thanks!

wazuh · ‎03-18-2019

Hello @TheBeaker,

It's needed to set up data forwarding and also a connection with the Wazuh API in order to the app can work properly. This is because the app currently works with two data sources. From the app, you can:

Visualize Wazuh indexed data and perform searches, so it's necessary to forward the alerts from the Wazuh manager to Splunk.
Get information and make use of the Wazuh API functionalities. For instance, get information about your cluster status, manage and configure your configuration groups and much more features in 'real time' are done just by requesting to the Wazuh API.

I hope that helps, you can join to the mailing list: https://groups.google.com/forum/#!forum/wazuh
or join to our community Slack channel: https://wazuh.com/community/join-us-on-slack/
Also, you can open an issue in our app repository: https://github.com/wazuh/wazuh-splunk.

Regards

rtrioux · ‎03-18-2019

Please read my question again. I think you may have answered someone else's question by accident, as it has nothing to do with my post. Thanks!

wazuh · ‎03-19-2019

Got it! The answer was just edited.

How to configure the Wazuh app to get data into Splunk?

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM