Getting Data In

How to configure outputs.conf on an OSSEC server to forward logs to a Splunk indexer?

kkingsland
Engager

I am trying to get a forwarder using the outputs.conf file on an ossec server to forward the logs to a splunk server.

I can not find anything at all on the proper setup to this and have all of the same items place on the old splunk server V5 and the new splunk server V6. They are able to communicate because I am able to get the agent status information off of the servers.

IS there anything that I should be checking or placing?

Ive gone through countless websites and searches through /answers/ but I can not find anything at all to help me.

brettcave
Builder

Do you want all logs or just the alerts? If just the alerts, then consider using syslog_output in ossec with a udp listener in SF.

inputs.conf

[udp://514]
sourcetype = syslog

ossec.conf

<ossec_config>
 ...
  <syslog_output>
    <server>127.0.0.1</server>
    <port>514</port>
    <format>splunk</format>
  </syslog_output>
 ...
</ossec_config>

Outputs.conf as per answer above.

0 Karma

southeringtonp
Motivator

The agent management occurs outside of the normal Splunk forwarding, so it does not necessarily mean that they are communicating properly.

If the Universal Forwarder is working, you should be able to see other events with a search like host=myossecserver. As for outputs.conf, consult the Universal Forwarder documentation, but It usually looks something like:

[tcpout:group1]
server=splunk.mynetwork.local:9997

Then, you need to configure the Splunk forwarder to send OSSEC log files to the central Splunk indexer. It's the same as the "local server" setup from the Reporting and Management for OSSEC app. You can also just install the app on the forwarder but that's overkill and not necessarily recommended.

############################################################
# Sample inputs for OSSEC data sources (Local Server)
############################################################

[monitor:///var/ossec/logs/alerts/alerts*]
disabled = 0
sourcetype = ossec_alerts

[monitor:///var/ossec/logs/ossec.log]
disabled = 0
sourcetype = ossec_log

[monitor:///var/ossec/logs/active-responses.log]
disabled = 0
sourcetype = ossec_ar
Get Updates on the Splunk Community!

Splunk Certification Support Alert | Pearson VUE Outage

Splunk Certification holders and candidates!  Please be advised of an upcoming system maintenance period for ...

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...