You do not need to enable syslog.
Syslog output is only required when Splunk and OSSEC are on different machines. If OSSEC is installed in the default location, Splunk should start indexing the alerts file automatically.
Some basic starting points:
Several portions of the app require configuration to work. The documentation in the app directory and on the on SplunkBase will provide more detail.
In particular, agent management and agent status screens require setup for your environment. A few features, like summary indexing, depend on scheduled searches, which are not available in the Splunk free license.
Several of the searches depend on a lookup table that might not have been built yet. To manually rebuild the table, run Searches & Reports -> Utility -> OSSEC - Rebuild Server Lookup Table.
This is most likely to be an issue when using the free version of Splunk.
From the Manager, go to Data Inputs -> Files & Directories and make sure that the input for `/var/ossec/logs/alerts/alerts*` exists and is enabled (it should be turned on by default).
If you have OSSEC in a non-standard location (i.e., not /var/ossec), create a new input for your alerts file. Set the sourcetype to ossec_alerts.
Run a search for `sourcetype=ossec*`. You should see results if there have been any OSSEC events on the local machine.
If you don't, try searching for `source=*alerts.log` or just search across all events. This only applies for local installations (syslog events will have a different value for `source`).
Run a search for `eventtype=ossec`. At present, most dashboards are built around this eventtype, so it's important that this return events. If the search on sourcetype works, but this search fails, then something is wrong with the eventtype definition (this should be defined correctly out-of-the-box).
At the time of writing, the current version of the app is 1.1.77. If you're not sure, either try updating, or look in the file $SPLUNK_HOME/etc/apps/ossec/default/app.conf
If you only just installed, Splunk will need to be restarted before the app is usable. (You almost certainly did this already).
Typo, that should have been source=alerts.log. Try the search by eventtype (added to answer above) as well, but if sourcetype=ossec returns events, then it sounds like you are getting data. Be aware that some dashboards require setup, but the "OSSEC Dashboard" and "OSSEC Event Search" should be fine if you can see events. If you are still having problems, can you be more specific about what's not working?