ossec 2.9 required for JSON output to logstash?
643 views
Skip to first unread message
Fletcher Cocquyt
Jan 14, 2016, 3:45:50 PM1/14/16
to Wazuh mailing list
Hi,
Is ossec 2.9 required for JSON output to logstash?
If so, what is the recommended way to upgrade from 2.8 to 2.9?
thanks!
Santiago Bassett
Jan 14, 2016, 3:53:20 PM1/14/16
to Fletcher Cocquyt, Wazuh mailing list
This should help:
When running "install.sh" script it will ask you if this is a new installation or you are update an existing one. Choose that one so it doesn't overwrite your client.keys file.
The script will show also the version (OSSEC 2.9 with Wazuh 1.0.1):
OSSEC HIDS v2.9.0 Installation Script - http://www.ossec.net
OSSEC WAZUH v1.0.1 Installation Script - http://www.wazuh.com
Best regards
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/8e678155-fd4a-4771-95b1-bb61d0c36239%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Fletcher Cocquyt
Jan 14, 2016, 5:34:18 PM1/14/16
to Santiago Bassett, wa...@googlegroups.com
Thanks - I did the install, added the <jsonout_output>yes</jsonout_output> restarted everything - and it looks good
Cheers!
Santiago Bassett
Jan 14, 2016, 5:35:22 PM1/14/16
to Fletcher Cocquyt, Wazuh mailing list
Awesome, did you get the Elasticsearch and Kibana dashboards to work ?
Best
James Glaves
Feb 11, 2016, 5:04:15 AM2/11/16
to Wazuh mailing list
I've just setup OSSEC + Wazuh + ELK from scratch to get to grips with it. I faced problems as alerts.json file was not created after running Wazuh install.sh. Is the setup script supposed to add the json line to ossec.conf? Or was I supposed to add this manually? Just wondering if it's a bug with the installer or documentation.
Since adding it manually, everything is working so far, inc. Dashboards. Happy days.
jjrbg
Conor Scully
Feb 11, 2016, 5:14:26 AM2/11/16
to James Glaves, Wazuh mailing list
A kinda related question on upgrading from 2.8.2 to 2.9.x to enable JSON output.
Can I use the below steps to upgrade from vanilla OSSEC from the
atomic CentOS 7 repo to the latest OSSEC Wazuh fork?
" http://documentation.wazuh.com/en/latest/ossec_wazuh.html
When running "install.sh" script it will ask you if this is a new
installation or you are update an existing one. Choose that one so it
doesn't overwrite your client.keys file."
CentOS Linux release 7.2.1511 (Core)
Installed Packages
Name : ossec-hids
Arch : x86_64
Version : 2.8.2
Release : 49.el7.art
Size : 163 k
Repo : installed
From repo : atomic
Summary : An Open Source Host-based Intrusion Detection System
URL : http://www.ossec.net/
License : GPL
Description : OSSEC is a scalable, multi-platform, open source
Host-based Intrusion Detection
: System (HIDS). It has a powerful correlation and
analysis engine, integrating
: log analysis, file integrity checking, Windows registry
monitoring, centralized
: policy enforcement, rootkit detection, real-time
alerting and active response.
: It runs on most operating systems, including Linux,
OpenBSD, FreeBSD, MacOS,
: Solaris and Windows.
:
: This package contains common files required for all packages.
Name : ossec-hids-server
Arch : x86_64
Version : 2.8.2
Release : 49.el7.art
Size : 4.1 M
Repo : installed
From repo : atomic
Summary : The OSSEC HIDS Server
URL : http://www.ossec.net/
License : GPL
Description : The ossec-hids-server package contains the server part of the
: OSSEC HIDS. Install this package on a central machine for
: log collection and alerting.
Regards,
Conor Scully
Security
Aeria Games GmbH
Berlin | Seoul | San Francisco
Conor....@aeriagames.com
http://www.aeriagames.com
GPG PublicKey: 9F4D ACEF 345E 4518 772D A99B 4C95 857E 8D14 9387
___________________________________________________
Berlin: Schlesische Str. 27, Aufgang C, 10997 Berlin
Seoul: 141-31 Samseongdong, EK Tower 4th Floor, Gangnam-gu, Seoul 135-876
San Francisco: 143 2nd Street, Suite #400, San Francisco, CA 94105
___________________________________________________
Sitz Berlin | Amtsgericht Berlin-Charlottenburg | HRB 114841 B |
Steueridentifikationsnr.: DE260816529
Geschäftsführer: Oliver Strutynski, Thomas Nichols
Can I use the below steps to upgrade from vanilla OSSEC from the
atomic CentOS 7 repo to the latest OSSEC Wazuh fork?
" http://documentation.wazuh.com/en/latest/ossec_wazuh.html
When running "install.sh" script it will ask you if this is a new
installation or you are update an existing one. Choose that one so it
doesn't overwrite your client.keys file."
Installed Packages
Name : ossec-hids
Arch : x86_64
Version : 2.8.2
Release : 49.el7.art
Size : 163 k
Repo : installed
From repo : atomic
Summary : An Open Source Host-based Intrusion Detection System
URL : http://www.ossec.net/
License : GPL
Description : OSSEC is a scalable, multi-platform, open source
Host-based Intrusion Detection
: System (HIDS). It has a powerful correlation and
analysis engine, integrating
: log analysis, file integrity checking, Windows registry
monitoring, centralized
: policy enforcement, rootkit detection, real-time
alerting and active response.
: It runs on most operating systems, including Linux,
OpenBSD, FreeBSD, MacOS,
: Solaris and Windows.
:
: This package contains common files required for all packages.
Name : ossec-hids-server
Arch : x86_64
Version : 2.8.2
Release : 49.el7.art
Size : 4.1 M
Repo : installed
From repo : atomic
Summary : The OSSEC HIDS Server
URL : http://www.ossec.net/
License : GPL
Description : The ossec-hids-server package contains the server part of the
: OSSEC HIDS. Install this package on a central machine for
: log collection and alerting.
Regards,
Conor Scully
Security
Aeria Games GmbH
Berlin | Seoul | San Francisco
Conor....@aeriagames.com
http://www.aeriagames.com
GPG PublicKey: 9F4D ACEF 345E 4518 772D A99B 4C95 857E 8D14 9387
___________________________________________________
Berlin: Schlesische Str. 27, Aufgang C, 10997 Berlin
Seoul: 141-31 Samseongdong, EK Tower 4th Floor, Gangnam-gu, Seoul 135-876
San Francisco: 143 2nd Street, Suite #400, San Francisco, CA 94105
___________________________________________________
Sitz Berlin | Amtsgericht Berlin-Charlottenburg | HRB 114841 B |
Steueridentifikationsnr.: DE260816529
Geschäftsführer: Oliver Strutynski, Thomas Nichols
> --
> You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
> To post to this group, send email to wa...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/91f08ae8-b188-4f13-b143-5c34b6a2dbf7%40googlegroups.com.
> You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
> To post to this group, send email to wa...@googlegroups.com.
Pedro S
Feb 11, 2016, 5:51:59 AM2/11/16
to Wazuh mailing list
Hi James,
I am glad you have OSSEC Wazuh installed successfully, we still working everyday to improve OSSEC capabilities, next week we will release a new version, don't forget to keep your installation up-to-date.
Regarding to jsonout_output setting, it is enable by default with Wazuh installation but for several reasons if you are migrating from OSSEC fork to Wazuh fork jsonout_output is not activated in ossec.conf.
I mean, if you have a previous OSSEC version jsonout_output it is not included on ossec.conf file, we will study again this case and we will add a note in the documentation.
Thanks so much for your interest, don't hesitate to ask if you have further questions.
Pedro S.
PS: We are preparing an awesome Kibana app, stay tuned!
Pedro S
Feb 11, 2016, 6:09:27 AM2/11/16
to Wazuh mailing list, james...@gmail.com
Hi Conor,
Yes, you can. Follow the guide and you will have Wazuk fork running.
Like James said in the previous post, don't forget to activate json output in ossec.conf file:
<global>
<jsonout_output>yes</jsonout_output>
</global>
Restart OSSEC to apply changes: /var/ossec/bin/ossec-control restart
I just install from scratch OSSEC 2.8.2, i made the update following our guide to Wazuh 1.0.2 and everything is working properly, please don't hesitate to ask if you encounter any problem.
Regards,
Pedro S.
> To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
James Glaves
Feb 11, 2016, 6:25:41 AM2/11/16
to Wazuh mailing list
Thanks Pedro. I'm keen on making OSSEC Wazuh work for us, and will keep an eye out for new releases. I followed the documentation step-by-step (which was very detailed) on a new Ubuntu server (I didn't migrate) - I started by installing OSSEC 2.8.3, before running Wazuh installer which appears to upgrade it to v2.9.
Thanks for your support. Looking forward to seeing the forthcoming Kibana app!
James
Reply all
Reply to author
Forward
0 new messages