All Apps and Add-ons

OSSEC Custom Rule Groups

BP9906
Builder

Splunk isnt detecting my custom rule groups. Any idea how to fix it?

0 Karma

BP9906
Builder

So far I figured out that by copying the parse_ossec_groups.py to the ossec server and running it, then copying the output csv back to the Splunk machine and restarting Splunk, resolved the issue.

Any more of an automated approach would be helpful. Obviously, this would have to be done each time a new custom rule group is created.

0 Karma

southeringtonp
Motivator

This is indeed the correct way to do it.

The app ships with the latest rule groups from the OSSEC distribution at the time of each app version release, but yes, you'll need to update it for local rule changes.

Did you have anything in particular in mind as a more automated approach?

0 Karma
Get Updates on the Splunk Community!

Splunk Smartness with Brandon Sternfield | Episode 3

Hello and welcome to another episode of "Splunk Smartness," the interview series where we explore the power of ...

Monitoring Postgres with OpenTelemetry

Behind every business-critical application, you’ll find databases. These behind-the-scenes stores power ...

Mastering Synthetic Browser Testing: Pro Tips to Keep Your Web App Running Smoothly

To start, if you're new to synthetic monitoring, I recommend exploring this synthetic monitoring overview. In ...