OSSEC how to check if log is monitoring anything on webserver and forwarding it to Splunk

Hi, Firstly, I have a question regarding what components are required for the forwarding of the logs to Splunk from my webserver. My current setup is: **Splunk running on a Linux Server:** - Splunk Indexer - Reporting and Management for OSSEC app and add-on, installed, but unconfigured **Linux Webserver to be monitored:** - OSSEC hids 2.9.2, installed with a bit of configurations done. - SplunkUniversalForwarder, installed and configured, currently have some system stats indexed in Splunk Indexer. Are the necessary components that is required to forward data to Splunk in both systems? Secondly, The current problems that i am facing now is that: 1. I am unsure of how to check whether OSSEC is monitoring the web server and if the configurations made in ossec.conf are correct. I am only looking at monitoring some directories and alerting and logging if there are any changes made. I have not enabled email notification and would like to configure that on Splunk instead. Would this be possible? This is my ossec.conf file. norules_config.xmlpam_rules.xmlsshd_rules.xmltelnetd_rules.xmlsyslog_rules.xmlarpwatch_rules.xmlsymantec-av_rules.xmlsymantec-ws_rules.xmlpix_rules.xmlnamed_rules.xmlsmbd_rules.xmlvsftpd_rules.xmlpure-ftpd_rules.xmlproftpd_rules.xmlms_ftpd_rules.xmlftpd_rules.xmlhordeimp_rules.xmlroundcube_rules.xmlwordpress_rules.xmlcimserver_rules.xmlvpopmail_rules.xmlvmpop3d_rules.xmlcourier_rules.xmlweb_rules.xmlweb_appsec_rules.xmlapache_rules.xmlnginx_rules.xmlphp_rules.xmlmysql_rules.xmlpostgresql_rules.xmlids_rules.xmlsquid_rules.xmlfirewall_rules.xmlapparmor_rules.xmlcisco-ios_rules.xmlnetscreenfw_rules.xmlsonicwall_rules.xmlpostfix_rules.xmlsendmail_rules.xmlimapd_rules.xmlmailscanner_rules.xmldovecot_rules.xmlms-exchange_rules.xmlracoon_rules.xmlvpn_concentrator_rules.xmlspamd_rules.xmlmsauth_rules.xmlmcafee_av_rules.xmltrend-osce_rules.xmlms-se_rules.xmlzeus_rules.xmlsolaris_bsm_rules.xmlvmware_rules.xmlms_dhcp_rules.xmlasterisk_rules.xmlossec_rules.xmlattack_rules.xmlopenbsd_rules.xmlclam_av_rules.xmlsysmon_rules.xmlopensmtpd_rules.xmlexim_rules.xmllocal_rules.xml14400yes/etc,/usr/bin,/usr/sbin/bin,/sbin,/boot/$dir/home/$userdir/etc/mtab/etc/mnttab/etc/hosts.deny/etc/mail/statistics/etc/random-seed/etc/adjtime/etc/httpd/logs/etc/utmpx/etc/wtmpx/etc/cups/certs/etc/dumpdates/etc/svc/volatileC:\WINDOWS/System32/LogFilesC:\WINDOWS/DebugC:\WINDOWS/WindowsUpdate.logC:\WINDOWS/iis6.logC:\WINDOWS/system32/wbem/LogsC:\WINDOWS/system32/wbem/RepositoryC:\WINDOWS/PrefetchC:\WINDOWS/PCHEALTH/HELPCTR/DataCollC:\WINDOWS/SoftwareDistributionC:\WINDOWS/TempC:\WINDOWS/system32/configC:\WINDOWS/system32/spoolC:\WINDOWS/system32/CatRoot/var/ossec/etc/shared/rootkit_files.txt/var/ossec/etc/shared/rootkit_trojans.txt/var/ossec/etc/shared/system_audit_rcl.txt/var/ossec/etc/shared/cis_debian_linux_rcl.txt/var/ossec/etc/shared/cis_rhel_linux_rcl.txt/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt127.0.0.1::1^localhost.localdomain$172.22.0.21host-denyhost-deny.shsrcipyesfirewall-dropfirewall-drop.shsrcipyesdisable-accountdisable-account.shuseryesrestart-ossecrestart-ossec.shroute-nullroute-null.shsrcipyeshost-denylocal6600firewall-droplocal6600syslog/var/log/messagessyslog/var/log/securesyslog/var/log/maillogapache/var/log/httpd/error_logapache/var/log/httpd/access_logcommanddf -Pfull_commandnetstat -tan |grep LISTEN |egrep -v '(127.0.0.1| ::1)' | sortfull_commandlast -n 5localhost514default 2. Where can i find the syslogs of the stuffs that are monitored? And from there on, how should i be forwarding it to Splunk for indexing? Thank you, i would appreciate any guidance or help! :)