You will need to create an inputs.conf to tell the Splunk forwarder where the OSSEC files to monitor are, you can actually copy the stanzas you need from the OSSEC app inputs.conf.
For example an ossec server will need these stanzas in an inputs.conf:
[monitor:///var/ossec/logs/alerts/alerts*]
disabled = 0
index = myindex
sourcetype = ossec_alerts
[monitor:///var/ossec/logs/ossec.log]
disabled = 0
index = myindex
sourcetype = ossec_log
[monitor:///var/ossec/logs/active-responses.log]
disabled = 0
index = myindex
sourcetype = ossec_ar
This will tie the sourcetypes of the files monitored to the OSSEC app installed on your search head or indexer.
For more information on inputs.conf check here:
http://docs.splunk.com/Documentation/Splunk/6.1.3/admin/Inputsconf
Typically this file is located in /SPLUNKINSTALL/etc/apps/APPLICATION/local
example: /opt/splunkforwarder/etc/apps/ossec_app/local/inputs.conf
... View more