Monitoring logs is an important part of active defense. With that being said OSSEC is an industry-standard for HIDS, as being used by many popular commercial tools like Alienvault OSSIM and USM.
Searching through the internet you will find official OSSEC web interface. But it cannot be of much use if you are looking forward to doing some threat hunting or wanted to search through some logs. Now let’s start with a tutorial to integrate OSSEC with ELK stack.
NOTE:- This tutorial is tested for centos 7 only.
Let’s start with the installation of the OSSEC server first.
- yum install -y gcc inotify-tools bind-utils pcre-devel wget
- wget -O ossec.tar.gz https://github.com/ossec/ossec-hids/archive/2.9.3.tar.gz
- tar xfvz ossec.tar.gz
- cd ossec-hids*
- ./install.sh
- Edit /var/ossec/etc/ossec.conf to add :
<syslog_output>
<server>127.0.0.1</server>
<port>5001</port>
<format>default</format>
</syslog_output>
- /var/ossec/bin/ossec-control enable client-syslog
- /var/ossec/bin/ossec-control start
Now let’s start setting up ELK stack
- Now install java using: sudo yum install java-1.8.0-openjdk
- Download logstash rpm file from https://artifacts.elastic.co/downloads/logstash/logstash-7.3.1.rpm
- rpm -Uvh logstash-*.rpm
- Add file in logstash directory: /etc/logstash/conf.d/OSSEC-logstash.conf with following content:
input {
# stdin{}
udp {
port => 5001
type => "ossec"
}
}
filter {
if [type] == "ossec" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_host} %{DATA:syslog_program}: Alert Level: %{NONNEGINT:Alert_Level}; Rule: %{NONNEGINT:Rule} - %{DATA:Description}; Location: %{DATA:Location}; (user: %{USER:User};%{SPACE})?(srcip: %{IP:Src_IP};%{SPACE})?(user: %{USER:User};%{SPACE})?(dstip: %{IP:Dst_IP};%{SPACE})?(src_port: %{NONNEGINT:Src_Port};%{SPACE})?(dst_port: %{NONNEGINT:Dst_Port};%{SPACE})?%{GREEDYDATA:Details}" }
add_field => [ "ossec_server", "%{host}" ]
}
mutate {
remove_field => [ "message","syslog_timestamp", "syslog_program", "syslog_host", "syslog_message", "syslog_pid", "@version", "type", "host" ]
}
}
}
output {
elasticsearch { hosts => ["localhost:9200"] }
stdout { codec => rubydebug }
}
- Now try restarting the logstash using following command: systemctl restart logstash
- Or try this command is service not found: sudo /usr/share/logstash/bin/system-install /etc/logstash/startup.options systemd
- Download Elasticsearch rpm file from https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.3.1-x86_64.rpm
- rpm -Uvh elasticsearch-*.rpm
- Edit elasticsearch file in /etc/elasticsearch/elasticsearch.yml with following changes:
1. Change cluster name to ossec
2. Change the host ip address (network.host: 127.0.0.1)
3. node.name: ossec-server-node-1
- systemctl enable elasticsearch
- systemctl start elasticsearch
- Download Kibana rpm file from https://artifacts.elastic.co/downloads/kibana/kibana-7.3.1-x86_64.rpm
- rpm -Uvh kibana-*.rpm
- Edit kibana file in /etc/kibana/kibana.yml with following changes:
1. Change elasticsearch information if needed. (elasticsearch.hosts: ["http://127.0.0.1:9200"] or elasticsearch.url: "http://localhost:9200")
2. Change kibana ip address to 0.0.0.0 (server.port: 5601, server.host: "0.0.0.0")
- systemctl enable kibana
- systemctl start kibana
- Try accessing you kibana dashboard at http://server-ip:5601 if not able to try opening specific port in iptables
REFERENCES:
https://www.elastic.co/guide/en/logstash/current/configuration.html
https://elatov.github.io/2016/04/ossec-monitoring-with-splunk-and-elk/
Email me for help : x786@protonmail.ch
This was really helpful, Please make more most like these.