Getting Data In

How to configure outputs.conf on an OSSEC server to forward logs to a Splunk indexer?

kkingsland
Engager

I am trying to get a forwarder using the outputs.conf file on an ossec server to forward the logs to a splunk server.

I can not find anything at all on the proper setup to this and have all of the same items place on the old splunk server V5 and the new splunk server V6. They are able to communicate because I am able to get the agent status information off of the servers.

IS there anything that I should be checking or placing?

Ive gone through countless websites and searches through /answers/ but I can not find anything at all to help me.

brettcave
Builder

Do you want all logs or just the alerts? If just the alerts, then consider using syslog_output in ossec with a udp listener in SF.

inputs.conf

[udp://514]
sourcetype = syslog

ossec.conf

<ossec_config>
 ...
  <syslog_output>
    <server>127.0.0.1</server>
    <port>514</port>
    <format>splunk</format>
  </syslog_output>
 ...
</ossec_config>

Outputs.conf as per answer above.

0 Karma

southeringtonp
Motivator

The agent management occurs outside of the normal Splunk forwarding, so it does not necessarily mean that they are communicating properly.

If the Universal Forwarder is working, you should be able to see other events with a search like host=myossecserver. As for outputs.conf, consult the Universal Forwarder documentation, but It usually looks something like:

[tcpout:group1]
server=splunk.mynetwork.local:9997

Then, you need to configure the Splunk forwarder to send OSSEC log files to the central Splunk indexer. It's the same as the "local server" setup from the Reporting and Management for OSSEC app. You can also just install the app on the forwarder but that's overkill and not necessarily recommended.

############################################################
# Sample inputs for OSSEC data sources (Local Server)
############################################################

[monitor:///var/ossec/logs/alerts/alerts*]
disabled = 0
sourcetype = ossec_alerts

[monitor:///var/ossec/logs/ossec.log]
disabled = 0
sourcetype = ossec_log

[monitor:///var/ossec/logs/active-responses.log]
disabled = 0
sourcetype = ossec_ar
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

&#x1f342; Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...