New opensource SIEM (LightSIEM) with OSSEC support
930 views
Skip to first unread message
Daniil Svetlov
Mar 28, 2015, 12:29:54 PM3/28/15
to ossec...@googlegroups.com
Hi, community!
I have suffer of lacking SIEM system for OSSEC for several years. I tried Splunk, but it is very expensive. I also tried OSSEC WebUI, but I deleted it after few hours. A lot of time I sent OSSEC alerts to Prelude IDS and used Prewikka as web interface, but it have some bugs and was not actively developed.
I saw several articles about parsing OSSEC in Logstash and Elasticsearch. It inspired me to create a batch of configs for parsing OSSEC and Snort logs.
I created some patterns for parsing OSSEC and Snort alerts and now I plan to add more possible event sources. I wrote configs for Elasticsearch and Logstash, made few dashborads for Kibana as main part of WebUI.
Kibana havn't got builtin authentication, so i found another project - Kibana Authentication Proxy and add it to my configuration too.
I have also create some common model for SIEM messages based on IDMEF class hierarchy. I hope it will help to normalize events from different sources to one format. And that will help to analyze and visualize them.
At the end of all that work I have make ansible playbook for easy and fast deploing all stuff and configs. So, my playbook take all that things together and run.
Try LightSIEM progect on GitHub https://github.com/dsvetlov/lightsiem
Hope it will help somebody to deploy free and opensource SIEM.
I will be thankful for all your comments, advices and suggestions.
Dmitry Sherman
Mar 28, 2015, 3:35:38 PM3/28/15
to ossec...@googlegroups.com
The fact it's using Kibana & Logstash along with it's opensource nature is nice.
Is it possible to deploy on the same server of ossec vm appliance or you recommend a separate machine? Where should it sit by design?
Thanks a lot!
Daniil Svetlov
Mar 28, 2015, 4:58:41 PM3/28/15
to ossec...@googlegroups.com
Hi, Dmitry!
суббота, 28 марта 2015 г., 22:35:38 UTC+3 пользователь Dmitry Sherman написал:
Yes, it is possible to deploy LightSIEM on one server with OSSEC. It's good design for small and medium deployments. But if you want, you can separate ossec, logstash and elasticsearch with Kibana on three servers.
Only one requirement is that elasticsearch and kibana must sit on one server. Small problem with ES is that it haven't got builtin authentication. So, by default, it just listen port and everybody can make query select or delete documents from index. But Kibana and Kibana Authentication Proxy is solving that problem.
I can recommend deploy LightSIEM on separate server because it can generate more load and require more disk space. Also, I usually make hardened OSSEC servers with only 1514 and 22 ports open. With additional opened ports for ELK attack surface is large.
суббота, 28 марта 2015 г., 22:35:38 UTC+3 пользователь Dmitry Sherman написал:
theresa mic-snare
Jul 3, 2015, 1:14:11 PM7/3/15
to ossec...@googlegroups.com
sounds awesome, great work Daniil!
just out of curiosity, why did you decided to go with snort instead of suricata?
http://suricata-ids.org
keep up the good work!
just out of curiosity, why did you decided to go with snort instead of suricata?
http://suricata-ids.org
keep up the good work!
Daniil Svetlov
Jul 3, 2015, 5:58:27 PM7/3/15
to ossec...@googlegroups.com
Hello, Theresa!
I'm not go with snort instead of suricata. A have production snort deployment on my work. It provides access to big amount of log samples and user experience of LightSIEM.
I'm not go with snort instead of suricata. A have production snort deployment on my work. It provides access to big amount of log samples and user experience of LightSIEM.
Anyway, suricata supports all relevant snort log formats. So you can use all types of snort input in LightSIEM with suricata. If you find some errors, feel free to report about it - I will try to help and fix them.
пт, 3 июля 2015 г. в 20:14, theresa mic-snare <rockpr...@gmail.com>:
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
--
С уважением, Светлов Даниил.
f.ma...@fonicom.com
Nov 18, 2015, 10:36:35 AM11/18/15
to ossec-list
Hi,
I am not sure if this is the right place to post but here it goes. I am quite new to Linux but have setup a server with Ossec. Also trying to setup LightSiem but am getting this error;
TASK: [elk | Install packages] ************************************************
failed: [localhost] => (item=java,http://download.elastic.co/logstash/logstash/packages/centos/logstash-1.5.0-1.noarch.rpm,https://download.elasticsearch.org/elasticsearch/elasticsearch/elasticsearch-1.4.4.noarch.rpm,epel-release,nodejs,unzip,npm,dnsmasq) => {"changed": false, "failed": true, "item": "java,http://download.elastic.co/logstash/logstash/packages/centos/logstash-1.5.0-1.noarch.rpm,https://download.elasticsearch.org/elasticsearch/elasticsearch/elasticsearch-1.4.4.noarch.rpm,epel-release,nodejs,unzip,npm,dnsmasq", "rc": 0, "results": []}
msg: The following packages have pending transactions: java-1.8.0-openjdk-x86_64
FATAL: all hosts have already failed -- aborting
PLAY RECAP ********************************************************************
to retry, use: --limit @/root/lightsiem-install.retry
localhost : ok=0 changed=0 unreachable=0 failed=1
Any ideas?
Regards
guga...@gmail.com
Nov 19, 2015, 6:25:21 AM11/19/15
to ossec-list
I had same issue
Reply all
Reply to author
Forward
0 new messages