Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to integrate OSSEC with Splunk.

azimzores
New Member
‎04-27-2010 09:34 PM

I am abit new to Splunk. I have setup the ossec server with: 6.7.8.9 10002

using the IP of the SPLUNK server. I have successfully installed the Ossec APP, it is not geting any data into Splunk when i look at the dashboard, what other configuration am i missing?

Tags (3)
0 Karma
Reply

southeringtonp
Motivator
‎09-15-2010 01:45 PM

As rayfoo suggested, a clearer explanation of what you mean by "limited data" would go a long way toward understanding your problem.

This is a fairly old question, so not sure if it's still an issue, but here are some things to try / questions to ask when troubleshooting:

  • Are you running the latest version of the Splunk for OSSEC App? There have been some significant changes from 1.0.x to 1.1.x of the app, and there will be several more in 1.2.x.

  • Does the issue appear with just dashboards, or do you have issues with the saved searches as well? What happens if you search on sourcetype=ossec* ?

  • Do the records coming into Splunk have the correct sourcetype? See the Data Inputs section of the README file for the recommended sourcetype values. If they are incorrect, you may need to adjust your Inputs configuration.

  • The dashboards currently look for specific OSSEC servers, so try running the search:
    | inputlookup lookup_ossec_servers and make sure your servers are listed. Also, make sure that the default wildcard entry for "All OSSEC Servers" is present. If not, there's a saved search that rebuilds the lookup table, so you might try running that.

    0 Karma
    Reply

    jrodman
    Splunk Employee
    Splunk Employee
    ‎04-27-2010 10:28 PM

    Have you already read the installation text here?

    0 Karma
    Reply

    rayfoo
    Path Finder
    ‎05-04-2010 04:19 PM

    Please explain more on what you mean by "limited data"?

    0 Karma
    Reply

    azimzores
    New Member
    ‎04-27-2010 11:44 PM

    Yes, seems like limited data is following over.

    0 Karma
    Reply
    Got questions? Get answers!

    Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

    Meet up IRL or virtually!

    Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

    Get Updates on the Splunk Community!

    Announcing Modern Navigation: A New Era of Splunk User Experience

    We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

    Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

    We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

    Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

    After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...