Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to configure outputs.conf on an OSSEC server to forward logs to a Splunk indexer?

kkingsland
Engager
‎02-11-2015 10:37 AM

I am trying to get a forwarder using the outputs.conf file on an ossec server to forward the logs to a splunk server.

I can not find anything at all on the proper setup to this and have all of the same items place on the old splunk server V5 and the new splunk server V6. They are able to communicate because I am able to get the agent status information off of the servers.

IS there anything that I should be checking or placing?

Ive gone through countless websites and searches through /answers/ but I can not find anything at all to help me.

Reply

brettcave
Builder
‎04-05-2016 04:38 AM

Do you want all logs or just the alerts? If just the alerts, then consider using syslog_output in ossec with a udp listener in SF.

inputs.conf

[udp://514]
sourcetype = syslog

ossec.conf

<ossec_config>
 ...
  <syslog_output>
    <server>127.0.0.1</server>
    <port>514</port>
    <format>splunk</format>
  </syslog_output>
 ...
</ossec_config>

Outputs.conf as per answer above.

0 Karma
Reply

southeringtonp
Motivator
‎02-11-2015 11:58 AM

The agent management occurs outside of the normal Splunk forwarding, so it does not necessarily mean that they are communicating properly.

If the Universal Forwarder is working, you should be able to see other events with a search like host=myossecserver. As for outputs.conf, consult the Universal Forwarder documentation, but It usually looks something like:

[tcpout:group1]
server=splunk.mynetwork.local:9997

Then, you need to configure the Splunk forwarder to send OSSEC log files to the central Splunk indexer. It's the same as the "local server" setup from the Reporting and Management for OSSEC app. You can also just install the app on the forwarder but that's overkill and not necessarily recommended.

############################################################
# Sample inputs for OSSEC data sources (Local Server)
############################################################

[monitor:///var/ossec/logs/alerts/alerts*]
disabled = 0
sourcetype = ossec_alerts

[monitor:///var/ossec/logs/ossec.log]
disabled = 0
sourcetype = ossec_log

[monitor:///var/ossec/logs/active-responses.log]
disabled = 0
sourcetype = ossec_ar
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...