All Apps and Add-ons

Splunk Add-on for OSSEC: Why are there missing files from add-on and where to find them?

davidschatz
New Member

The Splunk_TA_ossec files are missing from the Splunk Add-on for OSSEC:

splunk-add-on-for-ossec_401.tgz

Splunk documentation claims that they should be there for OSSEC dashboards:

 http://docs.splunk.com/Documentation/AddOns/released/OSSEC/Lookups

Anyone know where to find them?

Thanks.

0 Karma

davidschatz
New Member

Hi Hunter,

Thanks for your quick answer, and correct clarification.

My confusion was a result of there being TWO ossec config files:

1) ossec-hids-2.8.3.tar.gz -> installs ossec itself
2) splunk_add-on-for-ossec_401 -> installs Splunk_TA_ossec, for ossec/Splunk integration.

I had just missed the second one.

David

0 Karma

hunters_splunk
Splunk Employee
Splunk Employee

Hi David,

After you install the add-on, the lookup files can be found in the installation directory here;

$SPLUNK_HOME/etc/apps/Splunk_TA_ossec/lookups/

Hope it helps. Thanks!
Hunter

0 Karma
Get Updates on the Splunk Community!

Customer Experience | Splunk 2024: New Onboarding Resources

In 2023, we were routinely reminded that the digital world is ever-evolving and susceptible to new ...

Celebrate CX Day with Splunk: Take our interactive quiz, join our LinkedIn Live ...

Today and every day, Splunk celebrates the importance of customer experience throughout our product, ...

How to Get Started with Splunk Data Management Pipeline Builders (Edge Processor & ...

If you want to gain full control over your growing data volumes, check out Splunk’s Data Management pipeline ...