Do you want all logs or just the alerts? If just the alerts, then consider using syslog_output in ossec with a udp listener in SF.
inputs.conf
[udp://514]
sourcetype = syslog
ossec.conf
<ossec_config>
...
<syslog_output>
<server>127.0.0.1</server>
<port>514</port>
<format>splunk</format>
</syslog_output>
...
</ossec_config>
Outputs.conf as per answer above.
... View more