Wazuh alert output to ossim alient vault

[phong xuan]

Hi, every one, i using  wazuh hybrid mode with elk wazuh api, but now i want use wazuh alert for ossim alienvaul. I dont know how to send wazuh alert to ossim. Does anyone have a solution for my sitiuation. Thanks

[Santiago Bassett]

I did this a long time ago. This is what I remember:

1.- Configured Wazuh  manager to generate a custom single-line output in /var/ossec/logs/alerts/alerts.log

2.- Configured Rsyslog (on the Wazuh manager system) to send Syslog data to OSSIM. 

3.- Configured Rsyslog (on OSSIM side) to write the Syslog input into a file.

4.- Install Logstash on OSSIM to parse the log data and convert it into a format that OSSIM plugin understands.

5.- Enable the plugin.

6.- You can also update the plugin .sql database with new rules using this python script: https://github.com/wazuh/wazuh/issues/71

See instructions of the steps above here:

1.- Configure OSSEC manager custom output: 

Include custom output in /var/ossec/etc/ossec.conf

<custom_alert_output>AV - Alert - "$TIMESTAMP" --> RID: "$RULEID"; RL: "$RULELEVEL"; RG: "$RULEGROUP"; RC: "$RULECOMMENT"; USER: "$DSTUSER"; SRCIP: "$SRCIP"; HOSTNAME: "$HOSTNAME"; LOCATION: "$LOCATION"; EVENT: "[INIT]$FULLLOG[END]"; </custom_alert_output>

2.- Configure OSSEC manager Rsyslog output:

Create /etc/rsyslog.d/ossec.conf (on OSSEC manager). TLS configuration is not needed unless is supported on the other end (OSSIM).

$ModLoad imfile

$InputFilePollInterval 1

# OSSEC alerts file

$InputFileName /var/ossec/logs/alerts/alerts.log

$InputFileTag ossec-alerts:

$InputFileSeverity info

$InputFileFacility local7

# State file only visible when rsyslog stops

# State file in $WorkDirectory

$InputFileStateFile stat-ossec1

$InputRunFileMonitor

# TLS configuration

#$DefaultNetstreamDriver gtls

#$DefaultNetstreamDriverCAFile /root/certificates/ca.pem

#$DefaultNetstreamDriverCertFile /root/certificates/cert-soc-collector1.pem

#$DefaultNetstreamDriverKeyFile /root/certificates/key-soc-collector1.pem

#$ActionSendStreamDriverAuthMode x509/name

#$ActionSendStreamDriverPermittedPeer example.domain.com

#$ActionSendStreamDriverMode 1

$template ossec,"%msg%\n"

if $syslogtag == 'ossec-alerts:' then @@OSSIM_SERVER_IP:514;ossec

& stop

3.- Check files are being read by rsyslogd

#Alert file

[root@ossec_manager]# lsof /var/ossec/logs/alerts/alerts.log 

COMMAND     PID   USER   FD   TYPE DEVICE SIZE/OFF      NODE NAME

ossec-mai 12447 ossecm    3r   REG  202,1  6968029 520130975 /var/ossec/logs/alerts/alerts.log

ossec-ana 12455  ossec   10w   REG  202,1  6968029 520130975 /var/ossec/logs/alerts/alerts.log

rsyslogd  12520   root    4r   REG  202,1  6968029 520130975 /var/ossec/logs/alerts/alerts.log

4.- Configure RSYSLOG to receive data on OSSIM server:

#/etc/rsyslog.d/ossec.conf on OSSIM

alienvault:~/certificates/alienvault# cat /etc/rsyslog.d/ossec.conf 

$template ossec,"AV -%msg%\n"

if $fromhost-ip == 'OSSEC_MANAGER_IP' then /var/log/ossec_alerts.log;ossec

& stop

5.- Enable OSSEC plugin on OSSIM server:

alienvault:~/certificates/alienvault# cp /etc/ossim/agent/plugins/ossec-single-line.cfg /etc/ossim/agent/plugins/ossec-single-line.cfg.local

alienvault:~/certificates/alienvault# grep location= /etc/ossim/agent/plugins/ossec-single-line.cfg.local 

location=/var/log/ossec_alerts.log

/etc/init.d/ossim-agent restart

6.- Check that OSSIM plugin for OSSEC is reading the alerts file (on OSSIM server):

alienvault:~/certificates/alienvault# lsof /var/log/ossec_alerts.log 

COMMAND     PID USER   FD   TYPE DEVICE SIZE/OFF   NODE NAME

rsyslogd  20529 root   10w   REG  202,1  4251325 244823 /var/log/ossec_alerts.log

ossim-age 20902 root   26r   REG  202,1  4251325 244823 /var/log/ossec_alerts.log

add /var/log/ossec_alerts.log to /etc/logrotate.d/rsyslog

7.- Install Logstash server on OSSIM server:

wget -qO - https://packages.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -

echo "deb http://packages.elastic.co/logstash/2.3/debian stable main" | sudo tee -a /etc/apt/sources.list

apt-get update && apt-get install logstash

apt-get install software-properties-common

add-apt-repository ppa:webupd8team/java

change repo by trusty webupd8team-java-jessie.list 

apt-get update && apt-get install oracle-java8-installer

8.- Configure Logstash server:

alienvault:~# cat /etc/logstash/conf.d/ossec.conf 

input {

  file {

    path => "/var/log/ossec_alerts_collector*"

    codec => multiline {

      pattern => "^\s\*\*\sAlert"

      negate => true

      what => "previous"

    }

  }

}

# Alert example

# ** Alert 1459800165.1367266852: - windows,system_error,\n 2016 Apr 04 20:02:45 (agentname) any->WinEvtLog\n Rule: 18103 (level 5) -> 'Windows error event.'\n User: (no user)\n 2016 Apr 04 15:02:43 WinEvtLog: System: ERROR(7023): Service Control Manager: (no user): no domain: example.domain.com: The service terminated with the following error:   %%193  

filter {

  # Parse the header of the alert

  grok {

    # Matches  2014 Mar 08 00:57:49 (some.server.com) 10.1.2.3->ossec

    match => ["message", "(?m) \*\* Alert %{DATA:timestamp_seconds}:%{SPACE}%{WORD}?%{SPACE}\- %{DATA:ossec_group}\n %{YEAR} %{SYSLOGTIMESTAMP:syslog_timestamp} \(%{DATA:reporting_host}\) %{DATA:reporting_ip}\-\>%{DATA:reporting_source}\n Rule: %{NONNEGINT:rule_number} \(level %{NONNEGINT:severity}\) \-\> '%{DATA:signature}'\n%{GREEDYDATA:remaining_message}"]

    # Matches  2014 Mar 08 00:00:00 ossec-server01->/var/log/auth.log

    match => ["message", "(?m) \*\* Alert %{DATA:timestamp_seconds}:%{SPACE}%{WORD}?%{SPACE}\- %{DATA:ossec_group}\n %{YEAR} %{SYSLOGTIMESTAMP:syslog_timestamp} %{DATA:reporting_host}\-\>%{DATA:reporting_source}\n Rule: %{NONNEGINT:rule_number} \(level %{NONNEGINT:severity}\) \-\> '%{DATA:signature}'\n%{GREEDYDATA:remaining_message}"]

    add_tag => "grokked"

}

  grok {

    # Attempt to parse additional data from the alert

    match => ["remaining_message", "(?m) (Src IP: %{IP:src_ip}%{SPACE})?(Src Port: %{NONNEGINT:src_port}%{SPACE})?(Dst IP: %{IP:dst_ip}%{SPACE})?(Dst Port: %{NONNEGINT:dst_port}%{SPACE})?(User: %{DATA:acct}\n)?%{SPACE}%{GREEDYDATA:real_message}"]

  }

  mutate {

    convert      => [ "timestamp_seconds", "integer"]

  }

}

#AlienVault format output

#AV - Alert - "1459811944" --> RID: "5716"; RL: "5"; RG: "syslog,sshd,authentication_failed,"; RC: "SSHD authentication failed."; USER: "None"; SRCIP: "1.1.1.1"; HOSTNAME: "alienvault"; LOCATION: "/var/log/auth.log"; EVENT: "[INIT]Apr  4 23:19:02 alienvault sshd[22925]: Failed password for root from 1.1.1.1 port 55516 ssh2[END]";

output {

  file {

    path => "/var/log/ossec_single_line.log"

    flush_interval => 1

    codec => line { format => 'AV - Alert - "%{timestamp_seconds}" --> RID: "%{rule_number}"; RL: "%{severity}"; RG: "%{ossec_group}"; RC: "%{signature}"; USER: "%{acct}"; SRCIP: "%{src_ip}"; HOSTNAME: "%{reporting_host}"; LOCATION: "%{reporting_source}"; EVENT: "[INIT}%{real_message}[END]";'}

  }

#  stdout { codec => rubydebug }

}

9.- Running Logstash server:

alienvault:~# /opt/logstash/bin/logstash -f /etc/logstash/conf.d/ossec.conf

edit /etc/default/logstash

LS_CONF_DIR=/etc/logstash/conf.d

edit /etc/init.d/logstash

#  test_args="--configtest -f ${LS_CONF_DIR} ${LS_OPTS}"

  test_args="-f ${LS_CONF_DIR} ${LS_OPTS}"

Add file to logrotate:

/etc/logrotate.d/logstash

/var/log/ossec_single_line.log

Add location to ossec-single-line.cfg.local 

location=/var/log/ossec_single_line.log

/etc/init.d/ossim-agent restart

lsof /var/log/ossec_single_line.log

On Tue, May 30, 2017 at 12:30 AM, phong xuan <phongx...@gmail.com> wrote:

Hi, every one, i using  wazuh hybrid mode with elk wazuh api, but now i want use wazuh alert for ossim alienvaul. I dont know how to send wazuh alert to ossim. Does anyone have a solution for my sitiuation. Thanks

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/fbf8091e-d1b2-4a14-8d3d-9ef8ec2ab596%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[dango]

Hi, all .. i wanna explaining how to integrate ossim with elk and wazuh just i am get confused so i will explain what i understand and you can correct to me

i understand that you will install elk stack on the same server of alien-vault OSSIM because ossim doesn't have a log management ..
and we will use rsyslog server to collect logs from different asset ... and to do that you will configure wazuh manager on asset but after searching i found that wazuh manager is one of many components of wazuh server is is that way is compatible with ossim or not

and if it yes , please guide me how to do that .. and many thanks to you

On Tuesday, May 30, 2017 at 9:30:47 AM UTC+2, phong xuan wrote:

Hi, every one, i using  wazuh hybrid mode with elk wazuh api, but now i want use wazuh alert for ossim alienvaut. I don't know how to send wazuh alert to ossim. Does anyone have a solution for my sitiuation. Thanks

[Jose Antonio Izquierdo]

Hi, 

Not sure if this can help. I think there are 4 scenarios here. 

note:

Raw log is the log as soon is received by a rsyslog server.

alert is an analyzed event from wazuh after decoders/rules

alarm is a correlated event from ossim after correlation engine.

FLOW - Raw log:

1.- Data Source -> Ossim -> Wazuh

2.- Data Source -> Wazuh -> Ossim

You will need to modify your Rsyslog server on your first server configuration to forward to next step system. 

Alerts and alarms

3.- FLOW - Wazuh Alert -> Ossim

Alerts on Wazuh are stored in /var/ossec/logs/alerts/alerts.json. You can modify rsyslog to read that file and forward by syslog to ossim. You will need an OSSIM plugin to be sure all alarms are well parsed. Not sure if your ossim-agent plugin will be able to manage all wazuh alerts.

4.- FLOW Ossim Alarm -> Wazuh

Ossim alarm, are correlated events. You can define Alarm to syslog option in your OSSIM admin configuration. This will allow OSSIM to forward alarms to local Rsyslog server and then you can modify your rsyslog to forward alarms to Wazuh. Again, as before, you will need decoder/rule to collect the OSSIM alarm into Wazuh. I'm not sure if there is one ready by default.

Thanks, 

Best Regards,

--

jose antonio izquierdo

m - +34 673 055 255

skype - izquierdo.lopez

--

You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/c8cd2cab-4bae-4087-8e85-c41f72de674e%40googlegroups.com.

[dango]

Hi Jose,

Thanks for your reply tha make me to understand but i wanna to talk about my senario

i have installed ossec agent on assets i wannaclollect logs from

and ossec server on ossim server so now i had found that logs of assets appear on ossim dashboard as events after that i have installed logstash and elastic search to store logs ... i am confused at this point .. if i will need elastic search to store data so how can i do taht and if it van't so how ossim will do correlation and analysis on these data without logger

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

[Jose Antonio Izquierdo]

Hi Dango, 

you must take some decisions. using the alienvault-ossim agent is different than using wazuh-agent. You may think that, in the end, the agent is ossec, but it isn't the same.

so if you want to use the alienvault-ossim agent, your primary server console will be the alienvault-ossim console. if you want to use elasticsearch as logger then you will have a different path, but for using wazuh is a bit different. 

you need to decide which console you will use. if you want both then your agent will decide for you... if using alienvault-ossim agent, you will need to forward to wazuh from your alienvault-server box. if you choose wazuh-agent, then you will need to forward from your wazuh manager to alienvault-server. 

Hope this helps.

Thanks, 

Best Regards,

--

jose antonio izquierdo

m - +34 673 055 255

skype - izquierdo.lopez

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/c8cd2cab-4bae-4087-8e85-c41f72de674e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/74c5d16f-d5e2-446e-ae95-d5941ca57560%40googlegroups.com.