OSSEC and Nagios integration

Michiel van Es

unread,

Feb 5, 2014, 6:47:00 AM2/5/14

to ossec...@googlegroups.com

Hello,

I was wondering if someone already used the OSSEC and Nagios to generate alerts ?

I have the following idea in my head: alert of level 11+ will be seen by a monitor/swatch script tailing the /var/ossec/logs/alerts/alerts.log logfile and generates an alert/trigger and sends it to Nagios.

Nagios generates an alert, shows in on a dashboard.

Engineer fixes the issue or filters the alert (in case of a false positive) and OK/ACK the alert in Nagios.

Or has someone else a better idea how to integrate these 2 together?

All tips are more then welcome!

Michiel

Darin Perusich

unread,

Feb 5, 2014, 8:32:47 AM2/5/14

to ossec...@googlegroups.com

Have you asked Google?
--
Later,
Darin

> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.

Michiel van Es

unread,

Feb 5, 2014, 8:45:26 AM2/5/14

to ossec...@googlegroups.com

Yes, First 3 hits about mail scripts (nagios exchange) and 'swatch alike scripts' but not a lot of specific setup information.

That is why I ask it here what people use nowadays and how their setup looks like.

Michiel

Op woensdag 5 februari 2014 14:32:47 UTC+1 schreef Darin Perusich:

Michiel van Es

unread,

Feb 5, 2014, 8:53:38 AM2/5/14

to ossec...@googlegroups.com

To be more precise: this is the most valuable link I found: http://blog.kintoandar.com/2011/01/nagios-nrpe-ossec-check.html

I am still interested in other peoples' implementations.

Op woensdag 5 februari 2014 14:45:26 UTC+1 schreef Michiel van Es:

Chris H

unread,

Feb 6, 2014, 4:28:58 AM2/6/14

to ossec...@googlegroups.com

could you do something with the syslog output? send the alerts you're interested in to syslog on the nagios host and tail the logs from that? Might allow you to be a bit more selective, too.

Michiel van Es

unread,

Feb 18, 2014, 5:30:34 AM2/18/14

to ossec...@googlegroups.com

I found something interesting at http://blog.kintoandar.com/2011/01/nagios-nrpe-ossec-check.html which uses NRPE to swatch/grep the alerts.log logfile for specific alert levels and display those in Nagios.

Op donderdag 6 februari 2014 10:28:58 UTC+1 schreef Chris H:

ri...@amcoonline.net

unread,

Apr 28, 2015, 3:09:14 PM4/28/15

to ossec...@googlegroups.com

@Michiel did you ever get this set up? If so do you have any tips you can share?

Michiel van Es

unread,

Apr 30, 2015, 7:34:07 AM4/30/15

to ossec...@googlegroups.com

Yes, I did get this set up although not via NRPE:

- Log OSSEC alerts for a certain level to Elasticsearch/Logstash and Kibana

- Nagios runs a query on Kibana for this alert level and displays the alerts in a nagios dashboard. (the alert stays there for 24 hours and is then auto removed after 24 hour).

This setup is far from ideal as it is a passive check and stays there for only 24 hours.

I also don’t know the fine technical details how to set this up (since someone else’s set it up with Nagios).

But this is the general idea how it works at our company.

Cheers,

Michiel

You received this message because you are subscribed to a topic in the Google Groups "ossec-list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ossec-list/Fa8Pi4LFsAE/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ossec-list+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply all

Reply to author

Forward