yes, I have done this before. You just need to write the alerts in the format expected by OSSIM plugin for OSSEC. In order to change the format you can use Logstash.
Below you have my notes from when I did this (this should have been a blog post, but I was lazy). I hope it helps,
Santiago.
1.- Configure OSSEC manager custom output:
Include custom output in /var/ossec/etc/ossec.conf
<custom_alert_output>AV - Alert - "$TIMESTAMP" --> RID: "$RULEID"; RL: "$RULELEVEL"; RG: "$RULEGROUP"; RC: "$RULECOMMENT"; USER: "$DSTUSER"; SRCIP: "$SRCIP"; HOSTNAME: "$HOSTNAME"; LOCATION: "$LOCATION"; EVENT: "[INIT]$FULLLOG[END]"; </custom_alert_output>
2.- Configure OSSEC manager Rsyslog output:
Create /etc/rsyslog.d/ossec.conf (on OSSEC manager). TLS configuration is not needed unless is supported on the other end (OSSIM).
$ModLoad imfile
$InputFilePollInterval 1
# OSSEC alerts file
$InputFileName /var/ossec/logs/alerts/alerts.log
$InputFileTag ossec-alerts:
$InputFileSeverity info
$InputFileFacility local7
# State file only visible when rsyslog stops
# State file in $WorkDirectory
$InputFileStateFile stat-ossec1
$InputRunFileMonitor
# TLS configuration
#$DefaultNetstreamDriver gtls
#$DefaultNetstreamDriverCAFile /root/certificates/ca.pem
#$DefaultNetstreamDriverCertFile /root/certificates/cert-soc-collector1.pem
#$DefaultNetstreamDriverKeyFile /root/certificates/key-soc-collector1.pem
#$ActionSendStreamDriverAuthMode x509/name
#$ActionSendStreamDriverMode 1
$template ossec,"%msg%\n"
if $syslogtag == 'ossec-alerts:' then @@OSSIM_SERVER_IP:514;ossec
& stop
3.- Check files are being read by rsyslogd
#Alert file
[root@ossec_manager]# lsof /var/ossec/logs/alerts/alerts.log
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
ossec-mai 12447 ossecm 3r REG 202,1 6968029 520130975 /var/ossec/logs/alerts/alerts.log
ossec-ana 12455 ossec 10w REG 202,1 6968029 520130975 /var/ossec/logs/alerts/alerts.log
rsyslogd 12520 root 4r REG 202,1 6968029 520130975 /var/ossec/logs/alerts/alerts.log
4.- Configure RSYSLOG to receive data on OSSIM server:
#/etc/rsyslog.d/ossec.conf on OSSIM
alienvault:~/certificates/alienvault# cat /etc/rsyslog.d/ossec.conf
$template ossec,"AV -%msg%\n"
if $fromhost-ip == 'OSSEC_MANAGER_IP' then /var/log/ossec_alerts.log;ossec
& stop
5.- Enable OSSEC plugin on OSSIM server:
alienvault:~/certificates/alienvault# cp /etc/ossim/agent/plugins/ossec-single-line.cfg /etc/ossim/agent/plugins/ossec-single-line.cfg.local
alienvault:~/certificates/alienvault# grep location= /etc/ossim/agent/plugins/ossec-single-line.cfg.local
location=/var/log/ossec_alerts.log
/etc/init.d/ossim-agent restart
6.- Check that OSSIM plugin for OSSEC is reading the alerts file (on OSSIM server):
alienvault:~/certificates/alienvault# lsof /var/log/ossec_alerts.log
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
rsyslogd 20529 root 10w REG 202,1 4251325 244823 /var/log/ossec_alerts.log
ossim-age 20902 root 26r REG 202,1 4251325 244823 /var/log/ossec_alerts.log
add /var/log/ossec_alerts.log to /etc/logrotate.d/rsyslog
7.- Install Logstash server on OSSIM server:
apt-get update && apt-get install logstash
apt-get install software-properties-common
add-apt-repository ppa:webupd8team/java
change repo by trusty webupd8team-java-jessie.list
apt-get update && apt-get install oracle-java8-installer
8.- Configure Logstash server:
alienvault:~# cat /etc/logstash/conf.d/ossec.conf
input {
file {
path => "/var/log/ossec_alerts_collector*"
codec => multiline {
pattern => "^\s\*\*\sAlert"
negate => true
what => "previous"
}
}
}
# Alert example
# ** Alert 1459800165.1367266852: - windows,system_error,\n 2016 Apr 04 20:02:45 (agentname) any->WinEvtLog\n Rule: 18103 (level 5) -> 'Windows error event.'\n User: (no user)\n 2016 Apr 04 15:02:43 WinEvtLog: System: ERROR(7023): Service Control Manager: (no user): no domain:
example.domain.com: The service terminated with the following error: %%193
filter {
# Parse the header of the alert
grok {
match => ["message", "(?m) \*\* Alert %{DATA:timestamp_seconds}:%{SPACE}%{WORD}?%{SPACE}\- %{DATA:ossec_group}\n %{YEAR} %{SYSLOGTIMESTAMP:syslog_timestamp} \(%{DATA:reporting_host}\) %{DATA:reporting_ip}\-\>%{DATA:reporting_source}\n Rule: %{NONNEGINT:rule_number} \(level %{NONNEGINT:severity}\) \-\> '%{DATA:signature}'\n%{GREEDYDATA:remaining_message}"]
# Matches 2014 Mar 08 00:00:00 ossec-server01->/var/log/auth.log
match => ["message", "(?m) \*\* Alert %{DATA:timestamp_seconds}:%{SPACE}%{WORD}?%{SPACE}\- %{DATA:ossec_group}\n %{YEAR} %{SYSLOGTIMESTAMP:syslog_timestamp} %{DATA:reporting_host}\-\>%{DATA:reporting_source}\n Rule: %{NONNEGINT:rule_number} \(level %{NONNEGINT:severity}\) \-\> '%{DATA:signature}'\n%{GREEDYDATA:remaining_message}"]
add_tag => "grokked"
}
grok {
# Attempt to parse additional data from the alert
match => ["remaining_message", "(?m) (Src IP: %{IP:src_ip}%{SPACE})?(Src Port: %{NONNEGINT:src_port}%{SPACE})?(Dst IP: %{IP:dst_ip}%{SPACE})?(Dst Port: %{NONNEGINT:dst_port}%{SPACE})?(User: %{DATA:acct}\n)?%{SPACE}%{GREEDYDATA:real_message}"]
}
mutate {
convert => [ "timestamp_seconds", "integer"]
}
}
#AlienVault format output
#AV - Alert - "1459811944" --> RID: "5716"; RL: "5"; RG: "syslog,sshd,authentication_failed,"; RC: "SSHD authentication failed."; USER: "None"; SRCIP: "1.1.1.1"; HOSTNAME: "alienvault"; LOCATION: "/var/log/auth.log"; EVENT: "[INIT]Apr 4 23:19:02 alienvault sshd[22925]: Failed password for root from 1.1.1.1 port 55516 ssh2[END]";
output {
file {
path => "/var/log/ossec_single_line.log"
flush_interval => 1
codec => line { format => 'AV - Alert - "%{timestamp_seconds}" --> RID: "%{rule_number}"; RL: "%{severity}"; RG: "%{ossec_group}"; RC: "%{signature}"; USER: "%{acct}"; SRCIP: "%{src_ip}"; HOSTNAME: "%{reporting_host}"; LOCATION: "%{reporting_source}"; EVENT: "[INIT}%{real_message}[END]";'}
}
# stdout { codec => rubydebug }
}
9.- Running Logstash server:
alienvault:~# /opt/logstash/bin/logstash -f /etc/logstash/conf.d/ossec.conf
edit /etc/default/logstash
LS_CONF_DIR=/etc/logstash/conf.d
edit /etc/init.d/logstash
# test_args="--configtest -f ${LS_CONF_DIR} ${LS_OPTS}"
test_args="-f ${LS_CONF_DIR} ${LS_OPTS}"
Add file to logrotate:
/etc/logrotate.d/logstash
/var/log/ossec_single_line.log
Add location to ossec-single-line.cfg.local
location=/var/log/ossec_single_line.log
/etc/init.d/ossim-agent restart
lsof /var/log/ossec_single_line.log