Thank you all for the responses. I was planning on using the OSSEC app within Splunk. I wanted to take advantage of that app, and I think it looks great.
I did some research and found one of the links you suggested as being helpful. I already had Sagan running on the box and having OSSEC forward it to Syslog for Sagan. Since I don't really use Sagan, I think I might have OSSEC forward it to syslog and have splunk read it in. So, to answer my original question, if anybody else had the same one... I'm going to grab the syslog information from OSSEC, forward it to the local syslog daemon, then make splunk read that file in. :) Thanks! On Monday, May 21, 2012 11:11:23 AM UTC-5, Mike Wisniewski wrote: > > Hi! > > I've been using OSSEC for awhile now and it works well. I'm also > interested in integrating it with Splunk (free version) to do additional > analysis and queries on the logs. > > I have a rather small environment and collect syslog data from a couple of > other linux (ubuntu) servers. Right now, I ship that data into OSSEC and > will generate alerts for it. My question....do I have OSSEC collect the > syslog data and forward that to Splunk, or do I have Splunk collect the > Syslog data and make OSSEC read it? > > Thanks! >
