Published on February 20th, 2011 | by NJ Ouchn0
Splunk for OSSEC v1.1.80 released
This package contains parsing logic, saved searches, and dashboards for monitoring the OSSEC Host-based Intrusion Detection System via Splunk. Support for managing agent keys via is also provided.
Please read the Installation section – the app WILL NOT WORK without configuration.
This package contains parsing logic, saved searches, and
dashboards for monitoring the OSSEC Host-based Intrusion
Detection System via Splunk.
Please read the Installation section below – the app will
not work correctly without configuration.
Some functionality, primarily agent management, is not
currently supported when Splunk is running on Windows.
To install, extract the .tgz archive in $SPLUNK_HOME/etc/apps
You may need to enable the appropriate inputs, either via
inputs.conf, or through the Manager in the Splunk GUI.
The application maintains a list of all known OSSEC
servers in a lookup table. When you first install, this
list will be empty except for a wildcard entry. You can
wait until it is populated automatically, or run
– Rebuild OSSEC Server Lookup Table from the
Searches & Reports -> Utility menu.
This version introduces a number of changes from version
1.0 (see the CHANGES file). The recommended procedure is
to remove the old app before installing. Installing over
top of older versions should (mostly) work, but may cause
Sample input declarations are included with the application,
but are disabled by default. These may be enabled either
in inputs.conf, or via the Manager.
Several data input methods are available:
1) Native syslog daemon, writing to flat files which
are indexed by Splunk.
2) Syslog-style input directly to Splunk, listening
on a UDP port (this is the method often used by the
Splunk for OSSEC 3.x application)
3) Direct monitoring of OSSEC alert logs. Typically
requires Splunk to be installed on the OSSEC server.
4) Scripted input to periodically check the status of
OSSEC agents by running ossec_agent_control -l,
either locally or on a remote system.
For options (1) and (2), set the sourcetype to ‘ossec’.
For option (3), set the sourcetype to ‘ossec_alerts’.
For option (4), set the sourcetype to ‘ossec_agent_control’.
Collection of OSSEC agent Operational Status:
To collect OSSEC agent status, you will need to be able
run the agent_control command without a password.
For local OSSEC servers using the default path, this is
configured by default. For non-standard install paths,
you will need to edit ossec_servers.conf.
For remote execution, see below.