All Apps and Add-ons

Splunk Add-on for OSSEC: Why are there missing files from add-on and where to find them?

davidschatz
New Member

The Splunk_TA_ossec files are missing from the Splunk Add-on for OSSEC:

splunk-add-on-for-ossec_401.tgz

Splunk documentation claims that they should be there for OSSEC dashboards:

 http://docs.splunk.com/Documentation/AddOns/released/OSSEC/Lookups

Anyone know where to find them?

Thanks.

0 Karma

davidschatz
New Member

Hi Hunter,

Thanks for your quick answer, and correct clarification.

My confusion was a result of there being TWO ossec config files:

1) ossec-hids-2.8.3.tar.gz -> installs ossec itself
2) splunk_add-on-for-ossec_401 -> installs Splunk_TA_ossec, for ossec/Splunk integration.

I had just missed the second one.

David

0 Karma

hunters_splunk
Splunk Employee
Splunk Employee

Hi David,

After you install the add-on, the lookup files can be found in the installation directory here;

$SPLUNK_HOME/etc/apps/Splunk_TA_ossec/lookups/

Hope it helps. Thanks!
Hunter

0 Karma
Get Updates on the Splunk Community!

Splunk Smartness with Brandon Sternfield | Episode 3

Hello and welcome to another episode of "Splunk Smartness," the interview series where we explore the power of ...

Monitoring Postgres with OpenTelemetry

Behind every business-critical application, you’ll find databases. These behind-the-scenes stores power ...

Mastering Synthetic Browser Testing: Pro Tips to Keep Your Web App Running Smoothly

To start, if you're new to synthetic monitoring, I recommend exploring this synthetic monitoring overview. In ...