- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: How to configure outputs.conf on an OSSEC serv...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to configure outputs.conf on an OSSEC server to forward logs to a Splunk indexer?
I am trying to get a forwarder using the outputs.conf file on an ossec server to forward the logs to a splunk server.
I can not find anything at all on the proper setup to this and have all of the same items place on the old splunk server V5 and the new splunk server V6. They are able to communicate because I am able to get the agent status information off of the servers.
IS there anything that I should be checking or placing?
Ive gone through countless websites and searches through /answers/ but I can not find anything at all to help me.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you want all logs or just the alerts? If just the alerts, then consider using syslog_output in ossec with a udp listener in SF.
inputs.conf
[udp://514]
sourcetype = syslog
ossec.conf
<ossec_config>
...
<syslog_output>
<server>127.0.0.1</server>
<port>514</port>
<format>splunk</format>
</syslog_output>
...
</ossec_config>
Outputs.conf as per answer above.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The agent management occurs outside of the normal Splunk forwarding, so it does not necessarily mean that they are communicating properly.
If the Universal Forwarder is working, you should be able to see other events with a search like host=myossecserver. As for outputs.conf, consult the Universal Forwarder documentation, but It usually looks something like:
[tcpout:group1]
server=splunk.mynetwork.local:9997
Then, you need to configure the Splunk forwarder to send OSSEC log files to the central Splunk indexer. It's the same as the "local server" setup from the Reporting and Management for OSSEC app. You can also just install the app on the forwarder but that's overkill and not necessarily recommended.
############################################################
# Sample inputs for OSSEC data sources (Local Server)
############################################################
[monitor:///var/ossec/logs/alerts/alerts*]
disabled = 0
sourcetype = ossec_alerts
[monitor:///var/ossec/logs/ossec.log]
disabled = 0
sourcetype = ossec_log
[monitor:///var/ossec/logs/active-responses.log]
disabled = 0
sourcetype = ossec_ar
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
