All Apps and Add-ons

OSSEC App - What are the the next steps to configure Splunk forwarder?

splunk_worker
Path Finder

First time I'm going to use OSSEC App. http://apps.splunk.com/app/300/ . I didn't find the CLEAN STEPS for configuring the App to get data from Splunk forwarder installed on the ossec logs source machine (It may not be OSSEC server itself. This is syslog aggregator).

  1. I have installed the splunk forwarder on syslog aggregator machine.
  2. Configured forwarder outputs.conf to send to indexer. I can see the _internal logs of forwarder in Indexer/SH machine. So the communication is setup.
  3. Install OSSEC App on Indexer/SH.

What are the next steps to configure the Splunk forwarder to send the data from log path say path1 to Indexer/SH?

I'm not finding
1. clear steps to make to working like step-1, step-2, step-3....step-n
2. There doesn't seems to be TA (add-on) app for installing on forwarder?

Kindly let me know if anyone has prepared the steps to configuration to make OSSEC work.

0 Karma

DSA_KEY
Engager

You will need to create an inputs.conf to tell the Splunk forwarder where the OSSEC files to monitor are, you can actually copy the stanzas you need from the OSSEC app inputs.conf.

For example an ossec server will need these stanzas in an inputs.conf:

[monitor:///var/ossec/logs/alerts/alerts*]
disabled = 0
index = myindex
sourcetype = ossec_alerts

[monitor:///var/ossec/logs/ossec.log]
disabled = 0
index = myindex
sourcetype = ossec_log

[monitor:///var/ossec/logs/active-responses.log]
disabled = 0
index = myindex
sourcetype = ossec_ar

This will tie the sourcetypes of the files monitored to the OSSEC app installed on your search head or indexer.

For more information on inputs.conf check here:
http://docs.splunk.com/Documentation/Splunk/6.1.3/admin/Inputsconf

Typically this file is located in /SPLUNKINSTALL/etc/apps/APPLICATION/local
example: /opt/splunkforwarder/etc/apps/ossec_app/local/inputs.conf

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...