First time I'm going to use OSSEC App. http://apps.splunk.com/app/300/ . I didn't find the CLEAN STEPS for configuring the App to get data from Splunk forwarder installed on the ossec logs source machine (It may not be OSSEC server itself. This is syslog aggregator).
I have installed the splunk forwarder on syslog aggregator machine.
Configured forwarder outputs.conf to send to indexer. I can see the _internal logs of forwarder in Indexer/SH machine. So the communication is setup.
Install OSSEC App on Indexer/SH.
What are the next steps to configure the Splunk forwarder to send the data from log path say path1 to Indexer/SH?
I'm not finding
1. clear steps to make to working like step-1, step-2, step-3....step-n
2. There doesn't seems to be TA (add-on) app for installing on forwarder?
Kindly let me know if anyone has prepared the steps to configuration to make OSSEC work.