There is a nice Splunk app that uses the Ossec alerts.log for analysis. I would start there.
James ________________________________ From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of Mike Wisniewski Sent: Monday, May 21, 2012 11:11 AM To: ossec-list@googlegroups.com Subject: [ossec-list] OSSEC + Splunk Hi! I've been using OSSEC for awhile now and it works well. I'm also interested in integrating it with Splunk (free version) to do additional analysis and queries on the logs. I have a rather small environment and collect syslog data from a couple of other linux (ubuntu) servers. Right now, I ship that data into OSSEC and will generate alerts for it. My question....do I have OSSEC collect the syslog data and forward that to Splunk, or do I have Splunk collect the Syslog data and make OSSEC read it? Thanks!