icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

We are working on something new...

A Fresh New Splunkbase
We are designing a New Splunkbase to improve search and discoverability of apps. Check out our new and improved features like Categories and Collections. New Splunkbase is currently in preview mode, as it is under active development. We welcome you to navigate New Splunkbase and give us feedback.

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading Reporting and Management for OSSEC
SHA256 checksum (reporting-and-management-for-ossec_1292.tgz) 33c926cf45f5bfd1dd1efa6aa30eb74821d427be057385449c3eb5b75be86e92 SHA256 checksum (reporting-and-management-for-ossec_1189.tgz) b87a5de923cc8a6d7f8d83462c257a491493284abb8a1a6519768f5c9643fa49 SHA256 checksum (reporting-and-management-for-ossec_1188.tgz) 1f39e4249dbd0cb39547f6490b5c20b5c8bbbc264f5bd66d04fcd3f706293536 SHA256 checksum (reporting-and-management-for-ossec_1185.tgz) 716094d3062f04165a029a38697d81f0d96829982e1c7b10a066ac01f7c39d7b SHA256 checksum (reporting-and-management-for-ossec_1184.tgz) d5d1fd2ec30498a04630b043c5fcd57ec5aaaeb58d290774bfaefc2105f8f838 SHA256 checksum (reporting-and-management-for-ossec_1181.tgz) b7f36ff85262676f8e12febd051adca90e3e148dd2585f5e046e38ff1b242b89 SHA256 checksum (reporting-and-management-for-ossec_1180.tgz) 91fb38e423f45fd2fa59708974e555151c721183120f22dd388920de9aa13954 SHA256 checksum (reporting-and-management-for-ossec_1179.tgz) 5a16967ed0ffdc110d4b36f5516877a59f0849dbd1b0a34aa84636db7536a7cc SHA256 checksum (reporting-and-management-for-ossec_1177.tgz) b5fe39709ccbfbe173b071c408d6361e9134ca2d22da0d5282a980bf7746caf1 SHA256 checksum (reporting-and-management-for-ossec_1175.tgz) 4c4653121838e7de5a1ee8aafbf981e63ba215437f2749f6b23ba926d38efce9 SHA256 checksum (reporting-and-management-for-ossec_1026.tgz) d151d650b4b0b6032fbb2af6470c69862231f6e99a61b67162c58702c565afec
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate


Reporting and Management for OSSEC

This app has been archived. Learn more about app archiving.
This app is NOT supported by Splunk. Please read about what that means for you here.
This package was formally named Splunk for OSSEC (renamed to meet new Splunk trademark guidelines).

This package contains parsing logic, saved searches, and dashboards for monitoring the OSSEC Host-based Intrusion Detection System via Splunk. Support for managing agent keys via is also provided.

Please read the Installation section - the app WILL NOT WORK without configuration.


This package contains parsing logic, saved searches, and dashboards for monitoring the OSSEC Host-based Intrusion Detection System via Splunk.

Please read the Installation section below - the app will not work correctly without configuration.

Some functionality, primarily agent management, is not currently supported when Splunk is running on Windows.


To install, extract the .tgz archive in $SPLUNK_HOME/etc/apps

You may need to enable the appropriate inputs, either via inputs.conf, or through the Manager in the Splunk GUI.

The application maintains a list of all known OSSEC servers in a lookup table. When you first install, this list will be empty except for a wildcard ntry. You can wait until it is populated automatically, or run OSSEC - Rebuild OSSEC Server Lookup Table from the Searches & Reports -> Utility menu.


This version introduces a number of changes, particularly from version 1.0 (see the CHANGES file). The recommended procedure is to remove the old app before installing. Installing over top of older versions should (mostly) work, but may cause some problems.

Data Inputs

Sample input declarations are included with the application, but are disabled by default. These may be enabled either in inputs.conf, or via the Manager.

Several data input methods are available:

  1. Native syslog daemon, writing to flat files which are indexed by Splunk.
  2. Syslog-style input directly to Splunk
  3. Direct monitoring of OSSEC alert logs. Typically requires Splunk to be installed on the OSSEC server.
  4. Scripted input to periodically check the status of OSSEC agents by running ossec_agent_control -l, either locally or on a remote system.

For options (1) and (2), set the sourcetype to 'ossec'.
For option (3), set the sourcetype to 'ossec_alerts'.
For option (4), set the sourcetype to 'ossec_agent_control'.

Collection of OSSEC agent Operational Status:

To collect OSSEC agent status, you will need to be able run the agent_control command without a password.

For local OSSEC servers using the default path, this is configured by default. For non-standard install paths, you will need to edit ossec_servers.conf.

For remote execution, see below.

Managing Agent Keys from Splunk

To enable key management, you will need to be able to run the manage_agents command without a password. You will also need to be a member of either the Splunk Admin role or the OSSEC Admin role.

This feature is not enabled by default for security reasons. You can enable it by editing ossec_servers.conf.

For remote execution, see below.

Enabling Remote Execution

For remote agent status collection and remote management, you can use SSH and sudo to avoid password prompts.

The Splunk service account (root by default) will need to be able to log into the OSSEC server as a user with permissions to run the following commands without being prompted for a password:
agent_control -l

For more detailed instructions, consult Splunk Answers:

Agent Coverage Tracking

At present, the agent coverage dashboard currently relies on agent status information from the agent_control command (see above). A Splunk Enterprise license is needed for the scheduled searches.

To use agent coverage tracking, you must populate a lookup table that tracks all hosts that should be monitored by OSSEC. By default, all hosts seen by Splunk in the last 30 days will be expected.

Edit the saved search OSSEC - Track Expected Hosts to configure your own list. For example, all servers or all members of a particular LDAP container.

Malware Alerting

Alerting on malware file hashes only works when Splunk is directly monitoring the ossec alerts log (Syslog-based logging does not include the hashes).

If you are using this method, you can configure your email address and enable the alert from the Manager.

The MD5 and SHA1 file hashes will be sent to a third party (Team Cymru) for validation.

No guarantees of accuracy are provided.

3rd-Party Components / Disclaimers

This app includes third-party components and/or interfaces with third-party services. See the 3rdparty directory for details.

OSSEC is a product of Daniel Cid and Trend Micro. The app author is not afilliated with Trend Micro.

Splunk for OSSEC neither supported nor endorsed by Trend Micro or the OSSEC developers. The author makes no warranties or
guarantees of any kind. Use is at your own risk.

Release Notes

Version 1.2.92
Jan. 22, 2017

Version 1.2.92

  • Added OSSEC Event Map view

Version 1.2.91

  • Minor version bump
  • Minor compatibility fixes for newer Splunk versions up to 6.5
  • Splunk versions prior to 6 are no longer supported
    (though partial functionality should still work)
  • Update rule group with current git rules
  • Migrate OSSEC Event Search form to Splunk 6 Simple XML.
  • Added fields/aliases for ids_type, src, category

Version 1.1.90

  • Replace all FlashChart modules with JSChart
  • Replace all flashtimeline references with search
  • Update rule group lookup from current bitbucket rules
  • Initial support for OSSEC 2.7+ "splunk" output format
    (Use of this format is discouraged, however).
Version 1.1.89
March 14, 2012

Version 1.1.89

  • Fixed a bug in ossec_agent_status that could prevent agent status polling from working correctly in certain configurations.

  • Increased timeout on agent status polling from 5 to 30 seconds

  • Updated rule group lookup table with rules from latest OSSEC build on BitBucket.

  • Removed unused Intersplunk dependency from pyOSSEC to ease command-line testing.

Version 1.1.88
June 17, 2011

Version 1.1.88

  • Added indexing of ossec.log file when Splunk is installed on the
    OSSEC server.

  • Added saved search to re-initialize ossec server lookup table

  • Bugfixes / parsing improvements when working with local alerts file
    (when Splunk is installed directly on the OSSEC server)

  • Improved suppression of Windows event explanatory text when working
    with local alerts file (Splunk installed directly on OSSEC server)

Version 1.1.85
June 12, 2011

Version 1.1.85

  • Re-scoped Navigation menu to avoid clobbering menus in other app

  • Updated rule group lookup table with rules from OSSEC 2.6 beta

  • Modified rule group lookup generating script to accept rules directory
    as a parameter

  • Added indexing of Active Response logs when Splunk is installed on the
    OSSEC server

  • Fixed an issue in the Agent Management view that could cause the
    list of managed servers to appear empty.

  • Removed local.meta file that had accidentally slipped into the

  • Corrected CSS formatting in Agent Coverage view.

Version 1.1.84
April 5, 2011

Version 1.1.84

  • Corrected stats calculation for Top 10 views

  • Added triggers entry in app.conf

  • Resolved a display error affecting File Integrity view with Splunk 4.2

  • Added workflow action for VirusTotal hash lookups

  • Minor bugfixes

Version 1.1.81
Feb. 23, 2011

Version 1.1.81

  • Fixed cron_schedule entry for lookup table generating search
  • Fixed startup warnings for Splunk 4.2
Version 1.1.80
Feb. 17, 2011

Version 1.1.80

  • Improved error reporting in ossec_agent_status script.
Version 1.1.79
Dec. 15, 2010

Version 1.1.79

  • Stripped out explanatory text on Microsoft-Windows-Security-Auditing events
    ("This event is generated when...")

  • Extracted EventCode, LogName, SourceName, and Type for Windows events

Version 1.1.77
Oct. 11, 2010

Version 1.1.77

  • Added Event Renderer for high-severity events (modify the eventtype to tune threshold)

  • Better handling of agent management connection errors

  • Increased default timeouts on agent connection

Version 1.1.75
Oct. 7, 2010

Version 1.1.75

  • Updated rule group lookup table to match OSSEC 2.5 ruleset

  • Increased results shown on agent management dashboard from 10 to 15

  • Modified Event Search view to better handle events with no ossec_group.

  • Fixed issue with ossec_group field extraction when using ossec-alerts sourcetype.

  • Removed extra divider from Utilities nav menu

  • pyOSSEC cleanup and fixes:

    • Implemented support for disabling configuration stanzas
    • Normalized whitespace
Version 1.0.26
March 1, 2010

Subscribe Share

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
Splunk, Splunk>,Turn Data Into Doing, Data-to-Everything, and D2E are trademarks or registered trademarks of Splunk Inc. in the United States and other countries. All other brand names,product names,or trademarks belong to their respective owners.