Skip to content

Vendor - Ossec

Product - Ossec

Ref Link
Splunk Add-on https://splunkbase.splunk.com/app/2808/
Product Manual https://www.ossec.net/docs/index.html

Sourcetypes

sourcetype notes
ossec The add-on supports data from the following sources: File Integrity Management (FIM) data, FTP data, su data, ssh data, Windows data, including audit and logon information

Sourcetype and Index Configuration

key sourcetype index notes
ossec ossec main None

Filter type

IP, Netmask or Host

Setup and Configuration

  • Install the Splunk Add-on on the search head(s) for the user communities interested in this data source. If SC4S is exclusively used the addon is not required on the indexer.
  • Ossec Follow vendor configuration steps per Product Manual.
  • Ensure host and timestamp are included.
  • Update vi /opt/sc4s/local/context/vendor_product_by_source.conf update the host or ip mask for f_ossec to identiy the ossec events.

Options

Variable default description
SC4S_LISTEN_OSSEC_TCP_PORT empty string Enable a TCP port for this specific vendor product using a comma-separated list of port numbers
SC4S_LISTEN_OSSEC_UDP_PORT empty string Enable a UDP port for this specific vendor product using a comma-separated list of port numbers
SC4S_ARCHIVE_OSSEC no Enable archive to disk for this specific source
SC4S_DEST_OSSEC_HEC no When Splunk HEC is disabled globally set to yes to enable this specific source

Verification

Use the following search to validate events are present

index=main sourcetype=ossec

Verify timestamp, and host values match as expected