Getting Data In

Splunk for Windows and OSSEC

Engager

Okay, so here is my situation: I am running a Splunk for Window Enterprise Server along with a separate OSSEC server built on the OpenSUSE distribution. I am trying to send alerts and errors from OSSEC HIDS to my Windows Splunk instance. Inside OSSEC, I have syslog_output enabled and set to the correct IP with the splunk chosen. The two servers can see each other (at least, via ping). What else is necessary to get these alerts sent to splunk? Thanks in advance for any help.

Tags (4)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

Make sure on Splunk that in the Data Inputs, you setup Splunk to receive the Syslog from OSSEC. Typically this would be in UDP section of Data Inputs and adding port 514. Also on your Windows machine you also allow UDP:514 through the firewall if you have it on.

View solution in original post

SplunkTrust
SplunkTrust

Make sure on Splunk that in the Data Inputs, you setup Splunk to receive the Syslog from OSSEC. Typically this would be in UDP section of Data Inputs and adding port 514. Also on your Windows machine you also allow UDP:514 through the firewall if you have it on.

View solution in original post

Engager

Thanks very much Anthony Reinke, this resolved my problem. Logs are now recognized from OSSEC.

0 Karma

SplunkTrust
SplunkTrust

It has been a while since I used OSSEC but I remember that the OSSEC server pushed the data to Splunk.

Here is an article that was stuck in my notes bookmark on setting up OSSEC and Splunk. A few years old but might put you the right direction.

http://www.ossec.net/?p=402

0 Karma

Engager

Thanks Anthony. Yes, I have 514 open and ready, and other hosts/agents are passing logs through it already. I have tried to add OSSEC as a data input, but (not surprisingly) Splunk is unable to pull the wmi configuration as OSSEC is a Linux box.

0 Karma