ossec interface

[MrTjadhav]

I am confused about Security Onion receiving raw log files from my ossec agents. I have eth0 as my management interface and eth1 as my monitored interface. Eth1 is connected to the network tap receiving all the traffic. Eth1 is in promisc mode ofcourse, eth0 is at ip w.x.y.z . When I open Sguil, two interfaces, server-eth1 and server-ossec.

my question is, when I configure the agents to enter the ip address of the server am i putting the management ip ? what else can I enter?

If I enter the management ip does that mean that all ossec logs will be transferred to the security onion server via the management ip?

Tushar.

[BBCan177]

For my setup, I installed OSSEC on our servers (Download software from
http://www.ossec.net/?page_id=169) and install on machines you want to monitor.

From the Ossec install, point to the SO server's IP and for the Authentication Key you need to get that from the Security Onion Ossec software.

With root permission go to /var/ossec/bin

./manage_agents
(From here you can add each Agent and once you have it entered, select "E" and it will extract the Authentication key that you need to copy and paste into the Agents Authentication Key Box.

You can use the ./list_agents -c to see which agents are connected successfully.

[BBCan177]

Forgot to answer your question but you need to point Ossec agents to the Management IP eth0

[BBCan177]

Dont forget to make changes to the OSSEC config file

/var/ossec/etc/ossec.conf

in <remote>, you need to allow the ips to connect. Also you need to open up the ports (udp 1514) in UFW

[MrTjadhav]

Thank you bbcan177.

[BBCan177]

Has anyone tried to install the OSSEC Web GUI (WUI)

http://www.ossec.net/wiki/index.php/OSSECWUI:Install

Would there be any conflicts with Security Onion?

Thanks.

[Matt Gregory]

Apache is already running on Security Onion, so possibly the only conflict might be the port it listens on; you'd have to change that so that it doesn't conflict with the web services Security Onion already has (i.e., the home page, ELSA, Snorby, Xplico, and Squert).  Also, you'd have to check the install directory - I'm not sure if there is anything custom or out of the ordinary with Security Onion's Apache installation, or vice versa.

Matt

--
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/groups/opt_out.

[Doug Burks]

I think you could make this work, but what do you hope to get out of it that you can't already get with Squert or ELSA?

--
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/groups/opt_out.

--
Doug Burks
http://securityonion.net

[BBCan177]

Your right. I need to spend more time getting Dashboards setup is ELSA. I found some interesting reports that might be useful to monitor.

Its always harder working from scratch.

Top-10 Alerts
Top-10 Suspicious
Top-10 Agents
Top-10 Attackers
Top-10 Locations
Events Timeline/Trend Level (not sure these two can be done in ELSA?)