All Apps and Add-ons
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

There is no OSSEC index in the Reporting and Management for OSSEC app. Will it take main?

ben_leung
Builder
‎03-26-2015 10:28 AM

Reporting and Management for OSSEC

There is no index.conf for making sure that it is search able.

0 Karma
Reply

southeringtonp
Motivator
‎03-26-2015 11:53 AM

In the current version, OSSEC events will go to Splunk's default main and summary indexes.

This could change at some point in the future -- having it be more configurable is on the wishlist.

In the meantime, you can configure it to use a dedicated ossec if you wish. It shouldn't require a huge effort -- you would need to create the index, making it default-searchable, and also update the inputs.conf entries to send events to it. If you also want to use a dedicated ossec_summary index, you'll need to update the populating saved searches as well as the search strings embedded in the OSSEC Summary Dashboard.

0 Karma
Reply

ben_leung
Builder
‎03-26-2015 05:05 PM

Actually I agree that not having an index.conf in the app is good. It leaves the option for the user to setup how they expect the index to retain/store the data. Most apps I have used came with an index.conf, which was the norm for me.

0 Karma
Reply

southeringtonp
Motivator
‎03-26-2015 06:40 PM

When the app was initially written, there were a lot of people using it with the free version of Splunk and not indexing other data. In that scenario, having a dedicated index was a little silly and more likely to be confusing than helpful. I've personally been frustrated in the past by apps that created indexes for what was low-volume data in our environment and potentially screwing up existing index design. But for people with larger Splunk deployments and multiple needs, using a separate index makes a lot of sense. So it really comes down to your use case.

0 Karma
Reply

ben_leung
Builder
‎03-26-2015 11:04 AM

so i guess we can just configure it, or let it go into main

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing the Expansion of the Splunk Academic Alliance Program

The Splunk Community is more than just an online forum — it’s a network of passionate users, administrators, ...

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Buttercup Games: Further Dashboarding Techniques (Part 7)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top