Splunk + OSSEC

splunk

splunk


I have just started working with splunk a little bit and one of the things I have tried is to hook it up to OSSEC. This, like most things these days, has proven to be interesting to say the least. Actually, it’s a very simple process, however, the documentation is abysmal at best and I spent hours pouring through different websites until I found the correct potion to get things actually working they way they are supposed to. I am documenting it here for future reference. I am currently running OSSEC v2.4.x and Splunk v4.1.4:

On splunk:

Install ossec module into splunk

splunk->manager->data inputs->udp->new
udp port – 10002
set host – ip
source type – manual
source type – ossec
save

Make sure 10002 is enabled

On OSSEC:

vim /var/ossec/etc/ossec.conf
add:
<syslog_output>
<server>172.25.3.3</server>
<port>10002</port>
</syslog_output>
under global config

/var/ossec/bin/ossec-control enable client-syslog

service ossec restart

You should now start getting ossec alerts to splunk…!

Be Sociable, Share!

Leave a Reply

You must be logged in to post a comment.