Question on OSSEC/OSSIM interaction
401 views
Skip to first unread message
Javier A. Nieto Salcedo
Sep 27, 2016, 12:58:21 PM9/27/16
to ossec...@googlegroups.com
Dear community,
I’ve been using OSSEC for almost three years for File Integrity Monitoring. Now, there is in the enterprise projecting to install OSSIM, and we want to know:
· if it is possible to share the logs from the OSSEC Server to the OSSIM one, as shown in the figure?
· If this scenario it’s not possible, how we can share the actual OSSEC agents to report to both servers?
Best regards,
Javier A. Nieto Salcedo
Gerencia de Análisis Informático
Vicepresidencia de Control
Telf: 58 (0212)955.98.17
En Credicard trabajamos para cumplir.
“Este correo y cualquier archivo transmitidos con él son confidenciales y previsto solamente para el uso del individuo o de la entidad a quienes se tratan. Si UD. ha recibido este correo por error por favor notificar a ab...@credicard.com.ve. Por favor considere que cualquier opinión presentada en este correo es solamente la del autor y no representa necesariamente la opinión de Consorcio Credicard, C.A. Finalmente, el receptor debe comprobar este correo y cualquier anexo del mismo para identificar la presencia de virus. La compañía no acepta ninguna responsabilidad por ningún daño causado por algún virus transmitido en este correo”.'
Santiago Bassett
Sep 27, 2016, 7:21:34 PM9/27/16
to ossec...@googlegroups.com
Hi Javier,
yes, I have done this before. You just need to write the alerts in the format expected by OSSIM plugin for OSSEC. In order to change the format you can use Logstash.
Below you have my notes from when I did this (this should have been a blog post, but I was lazy). I hope it helps,
Santiago.
1.- Configure OSSEC manager custom output:
Include custom output in /var/ossec/etc/ossec.conf
<custom_alert_output>AV - Alert - "$TIMESTAMP" --> RID: "$RULEID"; RL: "$RULELEVEL"; RG: "$RULEGROUP"; RC: "$RULECOMMENT"; USER: "$DSTUSER"; SRCIP: "$SRCIP"; HOSTNAME: "$HOSTNAME"; LOCATION: "$LOCATION"; EVENT: "[INIT]$FULLLOG[END]"; </custom_alert_output>
2.- Configure OSSEC manager Rsyslog output:
Create /etc/rsyslog.d/ossec.conf (on OSSEC manager). TLS configuration is not needed unless is supported on the other end (OSSIM).
$ModLoad imfile
$InputFilePollInterval 1
# OSSEC alerts file
$InputFileName /var/ossec/logs/alerts/alerts.log
$InputFileTag ossec-alerts:
$InputFileSeverity info
$InputFileFacility local7
# State file only visible when rsyslog stops
# State file in $WorkDirectory
$InputFileStateFile stat-ossec1
$InputRunFileMonitor
# TLS configuration
#$DefaultNetstreamDriver gtls
#$DefaultNetstreamDriverCAFile /root/certificates/ca.pem
#$DefaultNetstreamDriverCertFile /root/certificates/cert-soc-collector1.pem
#$DefaultNetstreamDriverKeyFile /root/certificates/key-soc-collector1.pem
#$ActionSendStreamDriverAuthMode x509/name
#$ActionSendStreamDriverPermittedPeer example.domain.com
#$ActionSendStreamDriverMode 1
$template ossec,"%msg%\n"
if $syslogtag == 'ossec-alerts:' then @@OSSIM_SERVER_IP:514;ossec
& stop
3.- Check files are being read by rsyslogd
#Alert file
[root@ossec_manager]# lsof /var/ossec/logs/alerts/alerts.log
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
ossec-mai 12447 ossecm 3r REG 202,1 6968029 520130975 /var/ossec/logs/alerts/alerts.log
ossec-ana 12455 ossec 10w REG 202,1 6968029 520130975 /var/ossec/logs/alerts/alerts.log
rsyslogd 12520 root 4r REG 202,1 6968029 520130975 /var/ossec/logs/alerts/alerts.log
4.- Configure RSYSLOG to receive data on OSSIM server:
#/etc/rsyslog.d/ossec.conf on OSSIM
alienvault:~/certificates/alienvault# cat /etc/rsyslog.d/ossec.conf
$template ossec,"AV -%msg%\n"
if $fromhost-ip == 'OSSEC_MANAGER_IP' then /var/log/ossec_alerts.log;ossec
& stop
5.- Enable OSSEC plugin on OSSIM server:
alienvault:~/certificates/alienvault# cp /etc/ossim/agent/plugins/ossec-single-line.cfg /etc/ossim/agent/plugins/ossec-single-line.cfg.local
alienvault:~/certificates/alienvault# grep location= /etc/ossim/agent/plugins/ossec-single-line.cfg.local
location=/var/log/ossec_alerts.log
/etc/init.d/ossim-agent restart
6.- Check that OSSIM plugin for OSSEC is reading the alerts file (on OSSIM server):
alienvault:~/certificates/alienvault# lsof /var/log/ossec_alerts.log
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
rsyslogd 20529 root 10w REG 202,1 4251325 244823 /var/log/ossec_alerts.log
ossim-age 20902 root 26r REG 202,1 4251325 244823 /var/log/ossec_alerts.log
add /var/log/ossec_alerts.log to /etc/logrotate.d/rsyslog
7.- Install Logstash server on OSSIM server:
wget -qO - https://packages.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
echo "deb http://packages.elastic.co/logstash/2.3/debian stable main" | sudo tee -a /etc/apt/sources.list
apt-get update && apt-get install logstash
apt-get install software-properties-common
add-apt-repository ppa:webupd8team/java
change repo by trusty webupd8team-java-jessie.list
apt-get update && apt-get install oracle-java8-installer
8.- Configure Logstash server:
alienvault:~# cat /etc/logstash/conf.d/ossec.conf
input {
file {
path => "/var/log/ossec_alerts_collector*"
codec => multiline {
pattern => "^\s\*\*\sAlert"
negate => true
what => "previous"
}
}
}
# Alert example
# ** Alert 1459800165.1367266852: - windows,system_error,\n 2016 Apr 04 20:02:45 (agentname) any->WinEvtLog\n Rule: 18103 (level 5) -> 'Windows error event.'\n User: (no user)\n 2016 Apr 04 15:02:43 WinEvtLog: System: ERROR(7023): Service Control Manager: (no user): no domain: example.domain.com: The service terminated with the following error: %%193
filter {
# Parse the header of the alert
grok {
# Matches 2014 Mar 08 00:57:49 (some.server.com) 10.1.2.3->ossec
match => ["message", "(?m) \*\* Alert %{DATA:timestamp_seconds}:%{SPACE}%{WORD}?%{SPACE}\- %{DATA:ossec_group}\n %{YEAR} %{SYSLOGTIMESTAMP:syslog_timestamp} \(%{DATA:reporting_host}\) %{DATA:reporting_ip}\-\>%{DATA:reporting_source}\n Rule: %{NONNEGINT:rule_number} \(level %{NONNEGINT:severity}\) \-\> '%{DATA:signature}'\n%{GREEDYDATA:remaining_message}"]
# Matches 2014 Mar 08 00:00:00 ossec-server01->/var/log/auth.log
match => ["message", "(?m) \*\* Alert %{DATA:timestamp_seconds}:%{SPACE}%{WORD}?%{SPACE}\- %{DATA:ossec_group}\n %{YEAR} %{SYSLOGTIMESTAMP:syslog_timestamp} %{DATA:reporting_host}\-\>%{DATA:reporting_source}\n Rule: %{NONNEGINT:rule_number} \(level %{NONNEGINT:severity}\) \-\> '%{DATA:signature}'\n%{GREEDYDATA:remaining_message}"]
add_tag => "grokked"
}
grok {
# Attempt to parse additional data from the alert
match => ["remaining_message", "(?m) (Src IP: %{IP:src_ip}%{SPACE})?(Src Port: %{NONNEGINT:src_port}%{SPACE})?(Dst IP: %{IP:dst_ip}%{SPACE})?(Dst Port: %{NONNEGINT:dst_port}%{SPACE})?(User: %{DATA:acct}\n)?%{SPACE}%{GREEDYDATA:real_message}"]
}
mutate {
convert => [ "timestamp_seconds", "integer"]
}
}
#AlienVault format output
#AV - Alert - "1459811944" --> RID: "5716"; RL: "5"; RG: "syslog,sshd,authentication_failed,"; RC: "SSHD authentication failed."; USER: "None"; SRCIP: "1.1.1.1"; HOSTNAME: "alienvault"; LOCATION: "/var/log/auth.log"; EVENT: "[INIT]Apr 4 23:19:02 alienvault sshd[22925]: Failed password for root from 1.1.1.1 port 55516 ssh2[END]";
output {
file {
path => "/var/log/ossec_single_line.log"
flush_interval => 1
codec => line { format => 'AV - Alert - "%{timestamp_seconds}" --> RID: "%{rule_number}"; RL: "%{severity}"; RG: "%{ossec_group}"; RC: "%{signature}"; USER: "%{acct}"; SRCIP: "%{src_ip}"; HOSTNAME: "%{reporting_host}"; LOCATION: "%{reporting_source}"; EVENT: "[INIT}%{real_message}[END]";'}
}
# stdout { codec => rubydebug }
}
9.- Running Logstash server:
alienvault:~# /opt/logstash/bin/logstash -f /etc/logstash/conf.d/ossec.conf
edit /etc/default/logstash
LS_CONF_DIR=/etc/logstash/conf.d
edit /etc/init.d/logstash
# test_args="--configtest -f ${LS_CONF_DIR} ${LS_OPTS}"
test_args="-f ${LS_CONF_DIR} ${LS_OPTS}"
Add file to logrotate:
/etc/logrotate.d/logstash
/var/log/ossec_single_line.log
Add location to ossec-single-line.cfg.local
location=/var/log/ossec_single_line.log
/etc/init.d/ossim-agent restart
lsof /var/log/ossec_single_line.log
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Javier A. Nieto Salcedo
Sep 28, 2016, 4:09:45 PM9/28/16
to ossec...@googlegroups.com
Hi Santiago,
Thanks a lot. We will try to follow your recipe.
Best regards,
Javier A. Nieto Salcedo
Gerencia de Análisis Informático
Vicepresidencia de Control
Telf: 58 (0212)955.98.17
En Credicard
trabajamos para cumplir.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
For more options, visit
https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
phong xuan
May 30, 2017, 10:12:06 AM5/30/17
to ossec-list
Hi, I want to send alert log from ossec to ossim. But i dont know how to do that. I already run ossec in hybird mode. I send alert log from ossec to ossim by syslog, i can see syslog in ossim but ossim cannot parse log so dashboard cannot see anything. can you help me, thank you
Vào 06:21:34 UTC+7 Thứ Tư, ngày 28 tháng 9 năm 2016, Santiago Bassett đã viết:
Vào 06:21:34 UTC+7 Thứ Tư, ngày 28 tháng 9 năm 2016, Santiago Bassett đã viết:
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages