What we are doing is sending OSSEC data to the ossec server, and then letting splunk read it direct from the alerts file.
Works really well if your splunk and OSSEC server are the same host, a bit more tweaking if you want to go massive and distributed. We are also in the process of rewriting a bunch of things in splunk to better handle some windows events as the categorization is limited. Zate On Mon, May 21, 2012 at 11:11 AM, Mike Wisniewski <wiz...@gmail.com> wrote: > Hi! > > I've been using OSSEC for awhile now and it works well. I'm also > interested in integrating it with Splunk (free version) to do additional > analysis and queries on the logs. > > I have a rather small environment and collect syslog data from a couple of > other linux (ubuntu) servers. Right now, I ship that data into OSSEC and > will generate alerts for it. My question....do I have OSSEC collect the > syslog data and forward that to Splunk, or do I have Splunk collect the > Syslog data and make OSSEC read it? > > Thanks! >
