Splunk + OSSEC



I have just started working with splunk a little bit and one of the things I have tried is to hook it up to OSSEC. This, like most things these days, has proven to be interesting to say the least. Actually, it’s a very simple process, however, the documentation is abysmal at best and I spent hours pouring through different websites until I found the correct potion to get things actually working they way they are supposed to. I am documenting it here for future reference. I am currently running OSSEC v2.4.x and Splunk v4.1.4:

On splunk:

Install ossec module into splunk

splunk->manager->data inputs->udp->new
udp port – 10002
set host – ip
source type – manual
source type – ossec

Make sure 10002 is enabled


vim /var/ossec/etc/ossec.conf
under global config

/var/ossec/bin/ossec-control enable client-syslog

service ossec restart

You should now start getting ossec alerts to splunk…!

Be Sociable, Share!

Leave a Reply

You must be logged in to post a comment.