AnaLogi - OSSEC WUI

[techs...@ecsc.co.uk]

Hi,

I/We are very happy to announce the release of AnaLogi, an 'Analytical
Log Interface' for analysis of database stored OSSEC alerts.

This project was started as we could not find any alternative project
that met our own requirements, and we love using OSSEC.

AnaLogi was built for OSSEC 2.6 and requires no modifications to OSSEC
or the database schema that ships with OSSEC. AnaLogi requires a
Webserver sporting PHP and MySQL (for setup follow the standard OSSEC
MySQL tutorial).

http://cloud.github.com/downloads/ECSC/analogi/u%20AnaLogiDetail%201_01%20n.png

http://cloud.github.com/downloads/ECSC/analogi/u%20AnaLogiOverview%201_01%20n.png

AnaLogi v1.0 is published under GPL v3 licence and is available on
github:

https://github.com/downloads/ECSC/analogi/

I hope you find it as useful as we do.

Kind Regards
Andy

[James M Pulver]

The last link seems to be 404...

--
James Pulver
LEPP Computer Group
Cornell University

[techs...@ecsc.co.uk]

Hi James,

Many thanks for letting me know...

https://github.com/ECSC/analogi/downloads

Not sure how I've got downloads at the wrong place in the link !

Andy

[Scott Klauminzer]

Andy,

It looks like the AnaLogi_v1.0.1.zip is not available.

AnaLogi_v1.0.1.zip returns a file not found.

Scott

[Tom Piersa]

his is a great idea. Very much looking forward to checking it out.

Tom

Thomas Piersa - Programmer Analyst
Columbia University, Department of Surgery

[techs...@ecsc.co.uk]

Sorry for the broken link, I've had real problems with GitHub and their content management.... the images didn't work at first either.

v1.0 -> v1.0.1 was extremely minor polishing, so feel free to use v1.0 for now.  I will research other hosting solutions in the mean time.

Many Thanks

Andy

On Tuesday, 15 May 2012 09:55:17 UTC+1, techs...@ecsc.co.uk wrote:

[Steve Lodin]

I was able to get code using:

https://github.com/ECSC/analogi/zipball/master

Looking forward to trying it out.  We have approx 1MM events per hour and haven't found a good interface.

Steve

--
Cell: +1-317-840-9088
LinkedIn: http://www.linkedin.com/in/stevelodin
Twitter: http://twitter.com/stevelodin

[techs...@ecsc.co.uk]

True, but downloads from the downloads page allows to me get a feel for how many people are trying it out :)

That's a lot of alerts Steve! We currently have 1.5 million events over a month (a test setup) and it's responsive on our VM, I hope it's as good for you!

On Tuesday, 15 May 2012 09:55:17 UTC+1, techs...@ecsc.co.uk wrote:

[Zdenko Skiljan]

Hi,

Logging to mysql sounds interesting, especially with such nice thing as
AnaLogi,
but as I wonder whether plain text loging is still retained after
employing mysql logging?

Chers

Zdenko

[techs...@ecsc.co.uk]

Yes. 

We have OSSEC 2.6 installed, I followed the OSSEC MySQL tutorial, and it logs to both MySQL AND /var/ossec/logs/alerts/2012/May/...

Andy

[Sasse, Fred (DNR)]

Thank you Andy I will give it a try … many thanks

 

From: ossec...@googlegroups.com [mailto:ossec...@googlegroups.com] On Behalf Of techs...@ecsc.co.uk
Sent: Friday, June 15, 2012 7:41 AM
To: ossec...@googlegroups.com
Subject: [ossec-list] Re: AnaLogi - OSSEC WUI

 

FYI Guys,  AnaLogi v1.1 is now up.  A few small tweaks, bug fixes, output to CSV and multi database support.

Any feedback appreciated.

Andy

[Frank Stefan Sundberg Solli]

May I suggest displaying Rule names instead of Rule ID's in both the graph and rows. And also it would be nice to have a drop down menu of all Rule Names

On Thu, Jun 28, 2012 at 5:53 PM, Brett Y <cgk...@gmail.com> wrote:

I don't know if the graph isn't displaying properly. It IS displaying however, and it doesn't look wrong. I changed the first instance of  $tmpdate=$rowchart['res_time']; to $tmpdate=intval($rowchart['res_time']); and I am still getting the warnings in toprare.php. We are using RHEL 5.7, and the version of PHP that shipped with that.

On Thursday, June 28, 2012 1:30:19 AM UTC-7, techs...@ecsc.co.uk wrote:

Can you amend the first instance and see if it still errors please.  If so I will amend the rest.  I presume this error is stopping the graphs from displaying properly?

Your error says 'expects long' but php.net documentation says date() expects an integer, so just wondering if it helps in your instance.  I will need to see what is causing it, might be different versions of PHP expecting different types?


On Wednesday, June 27, 2012 4:43:14 PM UTC+1, Brett Y wrote:

I seem to be getting the error in toprare.php as well at line 51. The line looks similar to line 127 in index_graph.php

On Wednesday, June 27, 2012 1:47:09 AM UTC-7, techs...@ecsc.co.uk wrote:

Hi Brett,

I'm wondering if your PHP config is a little different to mine.  To test a fix.workaround can you please amend the code at the place shown (index_graph.php line 127)

Change the line from:
                $tmpdate=$rowchart['res_time'];

to
                $tmpdate=intval($rowchart['res_time']);

If this works PLEASE let me know and I will amend this for the next release.

Many Thanks
Andy




On Tuesday, June 26, 2012 10:24:53 PM UTC+1, Brett Y wrote:

I get errors in my apache log that say "date() expects parameter 2 to be long, string given in analogi/php/index_graph.php on line 127"

On Friday, June 15, 2012 5:40:51 AM UTC-7, techs...@ecsc.co.uk wrote:

FYI Guys,  AnaLogi v1.1 is now up.  A few small tweaks, bug fixes, output to CSV and multi database support.

Any feedback appreciated.

Andy

--
MVH/With regards

Frank
--
Name:         Frank Stefan Sundberg Solli
E-mail:         frank...@gmail.com
Web:            http://0x41.me

GPG:            684119F4

[rocka...@gmail.com]

Hi,

first of all let me thank you for this great idea. it seems like a good way to display the results found by ossec.

at the moment i still have problems setting up analogi.
while the first two tests went OK, the 3rd and 4th test failed.

Test 1 - Can PHP detect MySQL module? - yes

Test 2 - Can PHP connect to your MySQL? - yes

Test 3 - Does your database have correct schema? - no!
       Fix - Import the MySQL schema that comes with OSSEC

Test 4 - Is there any data in your database? - no!
       Fix - Ensure agents are logging data.

I do NOT know what is meant with the MySQL schema that comes with OSSEC and how to import it.
could you please give me a hint on how to fix this?

many thanks in advance,
theresa