I’ve been tinkering with OSSec for about 6 months now. I’d like to setup a syslog server and have OSSec send it’s alerts to the syslog server. Then I would like to use an Open Source tool to do reporting off the syslog server. Two questions:
1. Since OSSec does some of it’s reporting off the log files, if I install OSSec on the syslog server will I get double entries? It just sounds like a loop.
2. My security budget got doubled this year. $0x2=$0. But we must be secure. If I can’t do that, I can feel free to quit and we’ll get someone who will. So …… What Open Source products can I use for Debian Syslog reporting? I’d like something web based. At this point I’m just looking to see all of my log info in one place.
Thanks much,
Tom
Sorry - yes, multiple log messages, from different servers, are
included in one email.
Example of 5720:
OSSEC HIDS Notification.
2012 Apr 14 23:26:13
Received From: (HostA) 10.x.x.x->/var/log/secure
Rule: 5720 fired (level 10) -> "Multiple SSHD authentication failures."
Portion of the log(s):
Apr 15 03:26:29 HostA sshd[1993]: error: PAM: Authentication failure
for UserA from cbigdc-padmp801.cbi.net
Apr 15 03:26:29 HostB sshd[26018]: error: PAM: Authentication failure
for UserA from cbigdc-padmp801.cbi.net
Apr 15 03:26:28 HostC sshd[722]: error: PAM: Authentication failure
for UserA from cbigdc-padmp801.cbi.net
Apr 14 20:26:28 HostD sshd[16629]: error: PAM: Authentication failure
for UserA from cbigdc-padmp801.cbi.net
Apr 14 20:26:29 HostE sshd[6648]: error: PAM: Authentication failure
for UserA from cbigdc-padmp801.cbi.net
Apr 15 03:26:28 HostF sshd[21030]: error: PAM: Authentication failure
for UserA from cbigdc-padmp801.cbi.net
Apr 15 03:26:28 HostG sshd[4320]: error: PAM: Authentication failure
for DOM\UserA from cbigdc-padmp801.cbi.net
--END OF NOTIFICATION
Example of 101002:
OSSEC HIDS Notification.
2012 Apr 14 23:26:08
Received From: (Host1) 10.228.0.182->/var/log/messages
Rule: 101002 fired (level 4) -> "User authentication failure."
Portion of the log(s):
Apr 15 03:26:24 Host1 lsassd[4341]: 0x479d6940:Failed to authenticate
user (name = 'UserA') -> error = 40056, symbol =
LW_ERROR_ACCOUNT_DISABLED, client pid = 10943
Apr 15 03:26:23 Host2 sshd[26801]:
[module:pam_lsass]pam_sm_authenticate error [login:UserA][error
code:40056]
Apr 15 03:26:23 Host2 lsassd[3395]: 0x4a622940:Failed to authenticate
user (name = 'UserA') -> error = 40056, symbol =
LW_ERROR_ACCOUNT_DISABLED, client pid = 26801
Apr 14 20:26:24 cbigdc-iecmb001 sshd[25199]:
[module:pam_lsass]pam_sm_authenticate error [login:UserA][error
code:40056]
--END OF NOTIFICATION
Can that be done only for certain rules?
> I'd start by separating the sandbox machines from production machines.
> It wouldn't hurt to keep those on different managers.
That's a thought. Currently I install and configure OSSEC agents as
part of my Kickstart process, so I'd have to figure out some way to
"tag" which manager they should talk to. Are multiple OSSEC managers
completely separate, or is there any non-manual method for
coordinating them in terms of syncing rules and configs?
Thanks,
Christina
> Do you mean multiple log messages are included in one email or
> multiple OSSEC alerts? Can you provide an example?
Sorry - yes, multiple log messages, from different servers, are
included in one email.
Example of 5720:
OSSEC HIDS Notification.
2012 Apr 14 23:26:13
Received From: (HostA) 10.x.x.x->/var/log/secure
Rule: 5720 fired (level 10) -> "Multiple SSHD authentication failures."
Portion of the log(s):
Apr 15 03:26:29 HostA sshd[1993]: error: PAM: Authentication failure
for UserA from BadHost1
Apr 15 03:26:29 HostB sshd[26018]: error: PAM: Authentication failure
for UserA from BadHost1
Apr 15 03:26:28 HostC sshd[722]: error: PAM: Authentication failure
for UserA from BadHost1
Apr 14 20:26:28 HostD sshd[16629]: error: PAM: Authentication failure
for UserA from BadHost1
Apr 14 20:26:29 HostE sshd[6648]: error: PAM: Authentication failure
for UserA from BadHost1
Apr 15 03:26:28 HostF sshd[21030]: error: PAM: Authentication failure
for UserA from BadHost1
Apr 15 03:26:28 HostG sshd[4320]: error: PAM: Authentication failure
for DOM\UserA from BadHost1
--END OF NOTIFICATION
Example of 101002:
OSSEC HIDS Notification.
2012 Apr 14 23:26:08
Received From: (Host1) 10.x.x.y->/var/log/messages
Rule: 101002 fired (level 4) -> "User authentication failure."
Portion of the log(s):
Apr 15 03:26:24 Host1 lsassd[4341]: 0x479d6940:Failed to authenticate
user (name = 'UserA') -> error = 40056, symbol =
LW_ERROR_ACCOUNT_DISABLED, client pid = 10943
Apr 15 03:26:23 Host2 sshd[26801]:
[module:pam_lsass]pam_sm_authenticate error [login:UserA][error
code:40056]
Apr 15 03:26:23 Host2 lsassd[3395]: 0x4a622940:Failed to authenticate
user (name = 'UserA') -> error = 40056, symbol =
LW_ERROR_ACCOUNT_DISABLED, client pid = 26801
Apr 14 20:26:24 Host3 sshd[25199]: