Getting Data In

How to configure outputs.conf on an OSSEC server to forward logs to a Splunk indexer?

kkingsland
Engager

I am trying to get a forwarder using the outputs.conf file on an ossec server to forward the logs to a splunk server.

I can not find anything at all on the proper setup to this and have all of the same items place on the old splunk server V5 and the new splunk server V6. They are able to communicate because I am able to get the agent status information off of the servers.

IS there anything that I should be checking or placing?

Ive gone through countless websites and searches through /answers/ but I can not find anything at all to help me.

brettcave
Builder

Do you want all logs or just the alerts? If just the alerts, then consider using syslog_output in ossec with a udp listener in SF.

inputs.conf

[udp://514]
sourcetype = syslog

ossec.conf

<ossec_config>
 ...
  <syslog_output>
    <server>127.0.0.1</server>
    <port>514</port>
    <format>splunk</format>
  </syslog_output>
 ...
</ossec_config>

Outputs.conf as per answer above.

0 Karma

southeringtonp
Motivator

The agent management occurs outside of the normal Splunk forwarding, so it does not necessarily mean that they are communicating properly.

If the Universal Forwarder is working, you should be able to see other events with a search like host=myossecserver. As for outputs.conf, consult the Universal Forwarder documentation, but It usually looks something like:

[tcpout:group1]
server=splunk.mynetwork.local:9997

Then, you need to configure the Splunk forwarder to send OSSEC log files to the central Splunk indexer. It's the same as the "local server" setup from the Reporting and Management for OSSEC app. You can also just install the app on the forwarder but that's overkill and not necessarily recommended.

############################################################
# Sample inputs for OSSEC data sources (Local Server)
############################################################

[monitor:///var/ossec/logs/alerts/alerts*]
disabled = 0
sourcetype = ossec_alerts

[monitor:///var/ossec/logs/ossec.log]
disabled = 0
sourcetype = ossec_log

[monitor:///var/ossec/logs/active-responses.log]
disabled = 0
sourcetype = ossec_ar
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...