Adding OSSEC Alerts to Splunk

Next up I want to add my OSSEC Alerts to Splunk. This is slightly more complicated then adding the nagios logs, but well document. The main part of this comes from the OSSEC Wiki Here. And the rest from the forums. But I’ll put it all here for my reference.

1. Edit your ossec.conf (If you’ve installed it like I have its located at: /var/ossec/etc/ossec.conf)
add the following block:

2. Enable syslog_output module and restart OSSEC:
#/var/ossec/bin/ossec-control enable client-syslog
#/var/ossec/bin/ossec-control restart

On restart you’ll see ossec-csyslogd starting up.

On the Splunk Side
1. Goto Manager
2. Goto Data Inputs
3. On UDP click Add New
4. On my setup the UPD Port is 10002
5. Set sourcetype is Manual
6. Source type is ossec
7. Save

Now since things have changed in Splunk 4 the rest of the wiki entry doesn’t help. But there is more information on this Forum Thread.

So download that file and extract it to your splunk directory as stated. Restart splunk and bingo your OSSEC alerts plus lots of nice menu options to access that data.

%d bloggers like this: