Forwarding Logs of ModSecurity to OSSEC Server & a SIEM

[tanishk lakhaani]

Hi all,

I have deployed Mod-Security, bt I am unable to forward the logs of Mod-Security to the OSSEC Server as well as a SIEM.

 

Can anyone help me in fixing this.

Regards

Tanishk

[Jeremy Lee]

Do you have the OSSEC agent installed on the same box that ModSecurity is on? And is ModSec logging to the Apache logs? If so, make sure the OSSEC agent is monitoring the Apache logs and on your OSSEC server be sure to tune the ModSec rules (should be in the apache_rules.xml) to log/alert as required.

Or, are you trying to forward the ModSec logs via syslog? If so you'll have to setup log forwarding via syslog/syslog-ng/rsyslog.

[tanishk lakhaani]

Hey thanks for replying !!!!

 

Well I am trying the second option. Can u pls gimme some information on how to set up log forwarding via syslog

 

What I tried was (in /etc/syslog.conf):

 

/var/log/messages <tab_space> local7.*

local7.* <tab_space> @ServerIP

 

Am i doing the right way ?

 

Regards

Tanishk

--
warm regards
Tanishk Lakhaani

[dan (ddp)]

Hi Tanishk,

Which syslog daemon are you using?

On Fri, Feb 4, 2011 at 2:07 PM, tanishk lakhaani <tanis...@gmail.com> wrote:
> Hey thanks for replying !!!!
>
> Well I am trying the second option. Can u pls gimme some information on how
> to set up log forwarding via syslog
>
> What I tried was (in /etc/syslog.conf):
>
> /var/log/messages <tab_space> local7.*

I'm not sure what this is supposed to do. Are you trying to label
everything in /var/log/messages as local7?

> local7.* <tab_space> @ServerIP
>

This should send everything in local7 to ServerIP. If my above
question is correct, you could just use the following instead:
*.* <tab_space> @ServerIP

I do this to send ALL syslog messages to my collector.

[tanishk lakhaani]

Jeremy,

Its syslogd daemon tat this Open Source Uses.

 

Rgds

Tanishk

[Jeremy Lee]

I don't know if "/var/log/messages              local7.*" is correct

However, the second line is correct.

BUT, I think I was initially incorrect about the 2nd option when advising it. If the logs are logging to Apache logs, which they should be default, then I believe you actually need to setup log forwarding in the Apache settings to get your Apache logs to forward to a syslog server.

Read through these threads:

http://forums.whirlpool.net.au/archive/1363249
http://www.unix.com/red-hat/127828-sending-all-apache-logs-syslog-server.html


So you can either use logger to accomplish this or you can add the syslog directive (the latter would be the recommended way).

Is there a reason why you are avoiding use of the OSSEC agent?

[tanishk lakhaani]

Jeremy,

In case I am using the OSSEC Agent, I think, my steps goes like, configuring mod-security to log its events in error_log file at the server end.Then I can reconfigure the agent to monitor the logs of eeror_log file and send it to tthe serevr, which will parse these logs in accordance to the apache_rules.xml file. and hence display the same.

 

I dnt understand then where is the need to setup log forwarding in the Apache settings to get your Apache logs to forward to a syslog server. & How do i do that ?

 

Regards

Tanishk

[Jeremy Lee]

So are you wanting to forward *all* Apache logs to the syslog server (OSSIM I'm assuming)? Or are you wanting to forward OSSEC alerts to the syslog server? BTW: I'm sure you're aware but OSSEC is integrated into OSSIM.


--Jeremy

[ash kumar]

Since the OSSEC agent can pick up and parse apache error logs natively, forwarding apache logs to a remote destination appears redundant. If you look at apache documentation you can either log to local files or to a remote syslog server. It is one or the other and not both. The problem with forwarding is that in case there is an issue with communications or with the syslog server, you will lose logs. 

The best case solution is to log to local files, use ossec agent to forward them and logrotate to keep things neat and tidy.

Ash Kumar