ELSA on Security Onion
Martin Holste
ran the ELSA installer as per
http://code.google.com/p/enterprise-log-search-and-archive/wiki/Quickstart
and it seemed to install just fine. You will need to add a couple of
configs to push logs from SecOnion into ELSA. Doug, feel free to
advise as appropriate, but here were some quick changes that got some
things working:
Add "*.* @127.0.0.1" to the end of /etc/rsyslog.d/50-default.conf.
This will have rsyslog forward all logs to ELSA.
For Snort, edit /etc/nsm/<sensor-interface>/barnyard2.conf and add:
output alert_syslog: LOG_LOCAL6 LOG_ALERT
To get Bro logs, follow the instructions on my blog here:
http://ossectools.blogspot.com/2011/09/bro-quickstart-cluster-edition.html
for exporting via syslog.
You can then access ELSA to view the system's logs with a web browser
on port 80.
Doug Burks
A few questions/thoughts:
- What's the best way to get OSSEC *alerts* into ELSA? The log file
is at /var/ossec/logs/alerts/alerts.log and it's a multi-line format.
- At some point, I'd like to turn on OSSEC's logall option to dump the
original single-line log entries to
/var/ossec/logs/archives/archives.log and have ELSA index these.
- What would it take to get ELSA to authenticate against the existing
Sguil user database?
- What's the best way to move the web interface to HTTPS on a non-standard port?
Thanks again!
Doug
--
Doug Burks
SANS GSE and Community Instructor
Security Onion | http://securityonion.blogspot.com
President, Greater Augusta ISSA | http://augusta.issa.org
Martin Holste
http://dcid.me/2008/07/sending-ossec-alerts-via-syslog/ has a good
writeup. The synopsis, edit /var/ossec/etc/ossec.conf:
<syslog_output>
<server>127.0.0.1</server>
</syslog_output>
> The log file
> is at /var/ossec/logs/alerts/alerts.log and it's a multi-line format.
>
As long as it sends UDP, the messages should get in there, multi-lines
and all. *crosses fingers*
> - At some point, I'd like to turn on OSSEC's logall option to dump the
> original single-line log entries to
> /var/ossec/logs/archives/archives.log and have ELSA index these.
>
I think the above config will do that. Otherwise, any flat file from
anywhere can be chucked into ELSA with the file() source in
/usr/local/syslog-ng/etc/syslog.conf.
> - What would it take to get ELSA to authenticate against the existing
> Sguil user database?
>
As an interesting side-note, there is now a PAM auth module for MySQL
via Percona: http://www.mysqlperformanceblog.com/2011/12/05/announcing-pam-authentication-plugin-for-mysql-early-access-release/
.
That said, it should be relatively straightforward to add in that auth
since it's a module anyway. I'll see if I can get some time this
weekend.
> - What's the best way to move the web interface to HTTPS on a non-standard port?
Here's from the stock SLES Apache config that should do the trick:
<VirtualHost *:8443>
DocumentRoot /usr/local/elsa/web/lib
SetEnv ELSA_CONF /etc/elsa_web.conf
<Location "/">
Order Allow,Deny
Allow from all
SetHandler perl-script
PerlResponseHandler Plack::Handler::Apache2
PerlSetVar psgi_app /usr/local/elsa/web/lib/Web.psgi
</Location>
# Cleanup proxied HTTP auth
RewriteEngine on
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule ^(.*) - [E=HTTP_AUTHORIZATION:%1]
SSLEngine on
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/apache2/ssl.crt/server.crt
SSLCertificateKeyFile /etc/apache2/ssl.key/server.key
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog /var/log/apache2/ssl_request_log ssl_combined
</VirtualHost>
Liam Randall
Martin Holste
example for using the Security Onion DB in web/conf/elsa.conf. If
you've already installed ELSA, just run the contrib/update_from_svn.sh
script and run "cpanm Authen::Simple::DBI" to install the Perl module.
If you're newly installing ELSA, it will be installed by default but
not enabled in the config.
Doug Burks
Doug
--