I'm wondering if anyone uses an OSSEC agent to monitor a Splunk server (free edition) for log integrity. For PCI-DSS, I understand one needs to make sure logs (stored on Splunk, in our case) maintain integrity
I'm hoping OSSEC can help achieve this. To put it another way, we already have an OSSEC server monitoring the clients that are in turn logging to the Splunk server, so I think we're covered on some level, ensuring that the clients are not being tampered with, but It would be great to use OSSEC to verify that the centralized log sever (splunk) is maintaining integrity as well. Anyone have thoughts on this? Also, I sort of get that you can use OSSEC to monitor specific locations for changes, but I assume the Splunk indexes are always changing, so I'm unclear how OSSEC could be used to keep it's "eye" on the Splunk data.
