Archive

Splunk and Ossec on Same Machine

New Member

I have Splunk v 4.1.5 installed on a machine that is an OSSEC server. Problem is I can't get the Splunk OSSEC app to see any of the OSSEC data.

Do I need to enable syslog for it to work?

Please and thanks, Mike

Tags (2)
0 Karma

Motivator

You do not need to enable syslog.

Syslog output is only required when Splunk and OSSEC are on different machines. If OSSEC is installed in the default location, Splunk should start indexing the alerts file automatically.

Some basic starting points:

  • Check the README and KNOWN_ISSUES files

    Several portions of the app require configuration to work. The documentation in the app directory and on the on SplunkBase will provide more detail.

    In particular, agent management and agent status screens require setup for your environment. A few features, like summary indexing, depend on scheduled searches, which are not available in the Splunk free license.

  • Rebuild the Lookup Table

    Several of the searches depend on a lookup table that might not have been built yet. To manually rebuild the table, run Searches & Reports -> Utility -> OSSEC - Rebuild Server Lookup Table.

    This is most likely to be an issue when using the free version of Splunk.

  • Check Inputs Configuration

    From the Manager, go to Data Inputs -> Files & Directories and make sure that the input for `/var/ossec/logs/alerts/alerts*` exists and is enabled (it should be turned on by default).

    If you have OSSEC in a non-standard location (i.e., not /var/ossec), create a new input for your alerts file. Set the sourcetype to ossec_alerts.

  • Manually Search

    Run a search for `sourcetype=ossec*`. You should see results if there have been any OSSEC events on the local machine.

    If you don't, try searching for `source=*alerts.log` or just search across all events. This only applies for local installations (syslog events will have a different value for `source`).

    Run a search for `eventtype=ossec`. At present, most dashboards are built around this eventtype, so it's important that this return events. If the search on sourcetype works, but this search fails, then something is wrong with the eventtype definition (this should be defined correctly out-of-the-box).

  • Update the App

    At the time of writing, the current version of the app is 1.1.77. If you're not sure, either try updating, or look in the file $SPLUNK_HOME/etc/apps/ossec/default/app.conf

  • Restart Splunk

    If you only just installed, Splunk will need to be restarted before the app is usable. (You almost certainly did this already).

0 Karma

Motivator

Typo, that should have been source=alerts.log. Try the search by eventtype (added to answer above) as well, but if sourcetype=ossec returns events, then it sounds like you are getting data. Be aware that some dashboards require setup, but the "OSSEC Dashboard" and "OSSEC Event Search" should be fine if you can see events. If you are still having problems, can you be more specific about what's not working?

0 Karma

New Member

Manual Search - source=*alerts reveals no alerts
Sourcetypes are all set to automatic

0 Karma

New Member
  • Rebuild lookup table - done
  • Input config - /var/ossec/logs/alerts/alerts*` - check
  • Manual Search - sourcetype=ossec* > 50,000 events
0 Karma