Splunk Add-on for OSSEC: Why are there missing fil...

davidschatz · ‎05-18-2017

The Splunk_TA_ossec files are missing from the Splunk Add-on for OSSEC:

splunk-add-on-for-ossec_401.tgz

Splunk documentation claims that they should be there for OSSEC dashboards:

 http://docs.splunk.com/Documentation/AddOns/released/OSSEC/Lookups

Anyone know where to find them?

Thanks.

davidschatz · ‎05-22-2017

Hi Hunter,

Thanks for your quick answer, and correct clarification.

My confusion was a result of there being TWO ossec config files:

1) ossec-hids-2.8.3.tar.gz -> installs ossec itself
2) splunk_add-on-for-ossec_401 -> installs Splunk_TA_ossec, for ossec/Splunk integration.

I had just missed the second one.

David

hunters_splunk · ‎05-18-2017

Hi David,

After you install the add-on, the lookup files can be found in the installation directory here;

$SPLUNK_HOME/etc/apps/Splunk_TA_ossec/lookups/

Hope it helps. Thanks!
Hunter

Splunk Add-on for OSSEC: Why are there missing files from add-on and where to find them?