Im looking to integrate ossec into our enviorment. As of now, most of the server has splunk light forwarding that sending data to the server that can monitor the logs (mostly linux stuff)
Plus that we have some switches+firewalls that also send stuff to the server.
How have you configured you integration. Have you both the agent for ossec that sends the stuff to a ossec server that do the analys and then monitor that server with the splunk ossec app. Or do you have the ossec and splunk servers on the same machine?
For the servers, it should work either way. I keep them on separate servers, but for mostly non-technical reasons.
If you install Splunk directly on the OSSEC server, you gain a few minor advantages, since the alerts.log file provides slightly more detail than OSSEC's syslog output.
If you aren't under heavy load, both can coexist just fine on the same machine. Under heavier load, it may be better to keep them separate. OSSEC tends to be a little more CPU-intensive, while Splunk is more disk-bound (though Splunk will still use up multiple CPU cores especially when you start running concurrent searches).
If you're just asking about the agents themselves and you are using the LWFs, then you would also need to instal the ossec agent on each endpoint.