Splunk + OSSEC
splunk
I have just started working with splunk a little bit and one of the things I have tried is to hook it up to OSSEC. This, like most things these days, has proven to be interesting to say the least. Actually, it’s a very simple process, however, the documentation is abysmal at best and I spent hours pouring through different websites until I found the correct potion to get things actually working they way they are supposed to. I am documenting it here for future reference. I am currently running OSSEC v2.4.x and Splunk v4.1.4:
On splunk:
Install ossec module into splunk
splunk->manager->data inputs->udp->new
udp port – 10002
set host – ip
source type – manual
source type – ossec
saveMake sure 10002 is enabled
On OSSEC:
vim /var/ossec/etc/ossec.conf
add:
<syslog_output>
<server>172.25.3.3</server>
<port>10002</port>
</syslog_output>
under global config/var/ossec/bin/ossec-control enable client-syslog
service ossec restart
You should now start getting ossec alerts to splunk…!