The Splunk_TA_ossec files are missing from the Splunk Add-on for OSSEC:
splunk-add-on-for-ossec_401.tgz
Splunk documentation claims that they should be there for OSSEC dashboards:
http://docs.splunk.com/Documentation/AddOns/released/OSSEC/Lookups
Anyone know where to find them?
Thanks.
Hi Hunter,
Thanks for your quick answer, and correct clarification.
My confusion was a result of there being TWO ossec config files:
1) ossec-hids-2.8.3.tar.gz -> installs ossec itself
2) splunk_add-on-for-ossec_401 -> installs Splunk_TA_ossec, for ossec/Splunk integration.
I had just missed the second one.
David
Hi David,
After you install the add-on, the lookup files can be found in the installation directory here;
$SPLUNK_HOME/etc/apps/Splunk_TA_ossec/lookups/
Hope it helps. Thanks!
Hunter