Ossec + Splunk
243 views
Skip to first unread message
Michael Mather
Sep 3, 2011, 9:39:39 PM9/3/11
to ossec...@googlegroups.com
I want to run Splunk as a logging server, and feed logs to it from the client
machine using their Universal Forwarder.
machine using their Universal Forwarder.
Unfortunately Splunk does not seem to do File Integrity Monitoring. Further
unfortunately, both machine are running Windows.
My question is whether the Ossec Windows Agent can run as a logging agent
without the Ossec Manager.
I suspect the answer is "No", but could that be confirmed?
Thanks.
dan (ddp)
Sep 3, 2011, 11:29:47 PM9/3/11
to ossec...@googlegroups.com
I thought splunk got some FIM capabilities in 4.something.
The agent software is designed to work with a manager, not independently.
Glenn
Sep 4, 2011, 12:35:21 AM9/4/11
to ossec-list
I believe you need the server (running on Linux) for OSSEC file
integrity monitoring. We're looked at this recently for PCI
compliance, and I believe that Splunk claims it can do FIM. Just
Google Splunk and PCI DSS and you should find the PDF that mentions it
(I think the PDF is call Splunk for PCI DSS).
Splunk can quickly become an expensive proposition. You may want to
consider using OSSEC for FIM and logging, then forwarding the alerts
from OSSEC to Splunk (basically using Splunk for the visualisations).
On Sep 4, 1:29 pm, "dan (ddp)" <ddp...@gmail.com> wrote:
> I thought splunk got some FIM capabilities in 4.something.
> The agent software is designed to work with a manager, not independently.
> On Sep 3, 2011 11:21 PM, "Michael Mather" <Michael.Mat...@teksavvy.com>
integrity monitoring. We're looked at this recently for PCI
compliance, and I believe that Splunk claims it can do FIM. Just
Google Splunk and PCI DSS and you should find the PDF that mentions it
(I think the PDF is call Splunk for PCI DSS).
Splunk can quickly become an expensive proposition. You may want to
consider using OSSEC for FIM and logging, then forwarding the alerts
from OSSEC to Splunk (basically using Splunk for the visualisations).
On Sep 4, 1:29 pm, "dan (ddp)" <ddp...@gmail.com> wrote:
> I thought splunk got some FIM capabilities in 4.something.
> The agent software is designed to work with a manager, not independently.
Michael Starks
Sep 4, 2011, 11:38:37 AM9/4/11
to ossec...@googlegroups.com, Michael Mather
Yes, you need the manager, but ossec could also forward to Splunk. There
are several ways to tie it all together.
Michael Mather
Sep 6, 2011, 8:28:45 PM9/6/11
to ossec-list
Dan, you are correct. They got it in 4.2. I had been looking at a
negative comment that applied to 4.1 (under Configuration Monitoring).
Thanks for solving my problem.
The suggestions of using OSSEC to forward stuff doesn't work in my
case, because I am not allowed to use a Linux box.
Nevertheless, I had thought that Prelude, for example, could receive
stuff directly from the OSSEC agent. It would be neat if the
interfaces for agents were published so that monitoring software could
use a variety of agents from different projects. Even better if the
interfaces were standardized, so that this would be easy.
negative comment that applied to 4.1 (under Configuration Monitoring).
Thanks for solving my problem.
The suggestions of using OSSEC to forward stuff doesn't work in my
case, because I am not allowed to use a Linux box.
Nevertheless, I had thought that Prelude, for example, could receive
stuff directly from the OSSEC agent. It would be neat if the
interfaces for agents were published so that monitoring software could
use a variety of agents from different projects. Even better if the
interfaces were standardized, so that this would be easy.
dan (ddp)
Sep 6, 2011, 9:01:24 PM9/6/11
to ossec...@googlegroups.com
OSSEC agents do very little. They basically forward logs to the
manager, and the manager does all of the work.
manager, and the manager does all of the work.
Reply all
Reply to author
Forward
0 new messages