How to Get System Information using Agent in Ossec?

[ram sri]

Hi,

How to get system information like OS details, RAM details and other Hardware details using agent in Ossec. 

Thank you,

[dan (ddp)]

OS information may be in /var/ossec/queue/agent-info
There isn't really a standard way to get the other information. You
could add full_commands to get it, but it isn't really query-able.

> --
>
> ---
> You received this message because you are subscribed to the Google Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[dan (ddp)]

On Wed, Feb 27, 2019 at 7:47 AM ram sri <ramsr...@gmail.com> wrote:
>
> Ok dan ddpbsd but wazuh have module like syscollector and that use <wodle>tag. Sameway we cant config in ossec?
>

I don't pay a lot of attention to what Wazuh does. If you want to
start porting the wodle stuff over to OSSEC, you can submit pull
requests at https://github.com/ossec/ossec-hids

[dan (ddp)]

On Wed, Feb 27, 2019 at 8:15 AM ram sri <ramsr...@gmail.com> wrote:
>
> So no way to get system information through agent??
>

Probably not in the way you want it. But, if the wodle thing is
something you'd like to be integrated into OSSEC, you can submit pull

[ram sri]

how to wodle integrate into ossec 

[dan (ddp)]

On Wed, Feb 27, 2019 at 3:20 PM ram sri <ramsr...@gmail.com> wrote:

how to wodle integrate into ossec 

--

I haven’t looked at it. That’s probably the first step.

[dan (ddp)]

On Wed, Feb 27, 2019 at 4:26 PM ram sri <ramsr...@gmail.com> wrote:
>
> Any other method is there in ossec?
>

This is the last time I will be answering this:
There is no way to easily do this in a stock OSSEC installation.

If you want to contribute, we can help you port the wodle stuff over,
or someone can probably be convinced to take a contract to do the work.
Or if Wazuh has the features you want, and you can't/won't do the work to
port those features, use Wazuh.

> --

[ram sri]

Ok dan(ddpbsd) thank you for your reply.

[lam...@gmail.com]

Actually, there is a solution for this, but it is a separate package that has to be installed and configured. It is called OSQUERY and can be found here:

https://osquery.io/

OSQUERY is open source under the Apache license. Like OSSEC, it runs on almost every platform. It can provide a HUGE amount of information about the client system. It was developed by Facebook as an asset management subsystem and uses its own structured query language for pulling data from clients. There are several third-party modules that have been developed for it as well, including an installer and auto-updater (Kolide launcher). The Kolide tool for auto-updating might be a good model for building a tool to auto-update OSSEC someday too.

We have been looking at integrating OSQUERY with OSSEC for a while. The easiest way to do this would be to build a separate encrypted communication channel between the OSSEC server and OSQUERY. I will submit a pull request if we work all the details out for full integration. We are working on a PCI DSS compliant port monitoring tool for OSSEC right now that we will submit on a separate pull request when it is done. If anyone is interested, I will be at the OSSEC conference on Mach 20th. Best,

Dave Stoddard

Network Alarm Corporation

[Patrick Tobin]

If you want an OSSEC fork with this built-in, I believe Wazuh has this, as well as integration with VirusTotal.

 

https://documentation.wazuh.com/current/user-manual/capabilities/osquery.html?highlight=osquery

 

Thanks,

Pat

 

From: <ossec...@googlegroups.com> on behalf of "lam...@gmail.com" <lam...@gmail.com>
Reply-To: "ossec...@googlegroups.com" <ossec...@googlegroups.com>
Date: Thursday, February 28, 2019 at 10:23 AM
To: ossec-list <ossec...@googlegroups.com>
Subject: [ossec-list] Re: How to Get System Information using Agent in Ossec?

 

*** This email is from an EXTERNAL sender. You should not click links, open attachments or respond unless you recognize the sender. ***

--

---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

This message and its contents (including any accompanying documents) are confidential and authorized solely for the intended addressee(s). If you have erroneously received this message, please immediately and permanently delete all instances and notify the sender. Also, if you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution or taking any action in reliance on this message or its contents is strictly prohibited. The company is not responsible for any loss or damage caused by a virus or for any errors or omissions in the contents of this message

[Wayne Villars]

I was looking at doing this as well. The main thing holding me back is the limited fields that can be extracted. My current understanding is that osecc decoder's field extraction is limited to the following fields:

location        - where the log came from (only on FTS)

srcuser         - extracts the source username

dstuser         - extracts the destination (target) username

user            - an alias to dstuser (only one of the two can be used)

srcip           - source ip

dstip           - dst ip

srcport         - source port

dstport         - destination port

protocol        - protocol

id              - event id

url             - url of the event

action          - event action (deny, drop, accept, etc)

status          - event status (success, failure, etc)

extra_data      - Any extra data

(from https://github.com/ossec/ossec-rules/blob/master/etc/decoder.xml)

Is my understanding correct? How do you intend to overcome this limitation? I mean, the opportunities for detection, if osquery and ossec were combined, are incredible, so I would love to take a stab at it.

[Zack Vanderbilt]

Hey Wayne,

Your understanding is correct however in version 3.3.x (currently available in master) there has been the addition of dynamic decoders which will allow you to create whatever key value pairs you want. Should be a new release in the coming weeks but I am not 100% on when specifically it will be. 

Stay tuned! 

- Zack

--

[Wayne Villars]

👍

You received this message because you are subscribed to a topic in the Google Groups "ossec-list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ossec-list/fT6Hd_-Nem0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ossec-list+...@googlegroups.com.