Using an existing OSSEC app with ES

lprine · ‎12-19-2013

I have a working install of "Reporting and Management for OSSEC" working nicely now. Now that we have purchased ES and want to start deploying it, I'm a little lost on how if its even possible to use the existing OSSEC install with ES.

Can I just make the existing Reporting and Management for OSSEC a heavy forwarder to ES and classify the data as ossec on the ES server?

jcoates_splunk · ‎12-19-2013

Hi, OSSEC has a lot of data, and we don't want to generate duplicates from other sources (e.g. login events). There's a TA in ES that will parse the OSSEC data for change management events. To use it, you just need to let your ES search head search the index where OSSEC data is written (Manager > Roles > Admin > Indexes searched by default). You may need to tweak the sourcetype in TA-ossec's props.conf.

lprine · ‎12-19-2013

The OSSEC is installed in a 6.0.x server that is not a part of the ES deployment.

Using an existing OSSEC app with ES

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Monitoring AI Agents with Splunk Observability Cloud

[Puzzles] Solve, Learn, Repeat: Tiling

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

Join the Conversation

Using an existing OSSEC app with ES

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Monitoring AI Agents with Splunk Observability Cloud

[Puzzles] Solve, Learn, Repeat: Tiling

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...