Splunk isnt detecting my custom rule groups. Any idea how to fix it?
So far I figured out that by copying the parse_ossec_groups.py to the ossec server and running it, then copying the output csv back to the Splunk machine and restarting Splunk, resolved the issue.
Any more of an automated approach would be helpful. Obviously, this would have to be done each time a new custom rule group is created.
This is indeed the correct way to do it.
The app ships with the latest rule groups from the OSSEC distribution at the time of each app version release, but yes, you'll need to update it for local rule changes.
Did you have anything in particular in mind as a more automated approach?