{"id":125,"date":"2019-10-12T19:07:25","date_gmt":"2019-10-12T19:07:25","guid":{"rendered":"http:\/\/snehpatel.com\/?p=125"},"modified":"2019-10-12T19:07:25","modified_gmt":"2019-10-12T19:07:25","slug":"getting-ossec-server-logs-into-elk-stack","status":"publish","type":"post","link":"https:\/\/snehpatel.com\/index.php\/2019\/10\/12\/getting-ossec-server-logs-into-elk-stack\/","title":{"rendered":"Getting OSSEC Server Logs into ELK stack"},"content":{"rendered":"\n<p>Monitoring logs is an important part of active defense. With that being said OSSEC is an industry-standard for HIDS, as being used by many popular commercial tools like Alienvault OSSIM and USM. <\/p>\n\n\n\n<p>Searching through the internet you will find official OSSEC web interface. But it cannot be of much use if you are looking forward to doing some threat hunting or wanted to search through some logs. Now let&#8217;s start with a tutorial to integrate OSSEC with ELK stack.<\/p>\n\n\n\n<p>NOTE:- This tutorial is tested for centos 7 only.<\/p>\n\n\n\n<p>Let&#8217;s start with the installation of the OSSEC server first. <\/p>\n\n\n\n<ul class=\"wp-block-list\"><li> yum\u00a0install\u00a0-y\u00a0gcc\u00a0inotify-tools\u00a0bind-utils\u00a0pcre-devel\u00a0wget <\/li><li> wget\u00a0-O\u00a0ossec.tar.gz\u00a0https:\/\/github.com\/ossec\/ossec-hids\/archive\/2.9.3.tar.gz <\/li><li> tar\u00a0xfvz\u00a0ossec.tar.gz <\/li><li> cd\u00a0ossec-hids* <\/li><li> .\/install.sh <\/li><li> Edit \/var\/ossec\/etc\/ossec.conf to add :  <\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;syslog_output>\n                &lt;server>127.0.0.1&lt;\/server>\n                &lt;port>5001&lt;\/port>\n                &lt;format>default&lt;\/format>\n&lt;\/syslog_output><\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li> \/var\/ossec\/bin\/ossec-control&nbsp;enable&nbsp;client-syslog <\/li><li> \/var\/ossec\/bin\/ossec-control&nbsp;start <\/li><\/ul>\n\n\n\n<p>Now let&#8217;s start setting up ELK stack<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Now install java using: sudo yum install java-1.8.0-openjdk <\/li><li>Download logstash rpm file from https:\/\/artifacts.elastic.co\/downloads\/logstash\/logstash-7.3.1.rpm<\/li><li> rpm\u00a0-Uvh\u00a0logstash-*.rpm <\/li><li> Add file in logstash directory: \/etc\/logstash\/conf.d\/OSSEC-logstash.conf with following content:<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>input {\n# stdin{}\n  udp {\n     port => 5001\n     type => \"ossec\"\n  }\n}\n\nfilter {\n  if &#91;type] == \"ossec\" {\n    grok {\n      match => { \"message\" => \"%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_host} %{DATA:syslog_program}: Alert Level: %{NONNEGINT:Alert_Level}; Rule: %{NONNEGINT:Rule} - %{DATA:Description}; Location: %{DATA:Location}; (user: %{USER:User};%{SPACE})?(srcip: %{IP:Src_IP};%{SPACE})?(user: %{USER:User};%{SPACE})?(dstip: %{IP:Dst_IP};%{SPACE})?(src_port: %{NONNEGINT:Src_Port};%{SPACE})?(dst_port: %{NONNEGINT:Dst_Port};%{SPACE})?%{GREEDYDATA:Details}\" }\n      add_field => &#91; \"ossec_server\", \"%{host}\" ]\n    }\n    mutate {\n      remove_field => &#91; \"message\",\"syslog_timestamp\", \"syslog_program\", \"syslog_host\", \"syslog_message\", \"syslog_pid\", \"@version\", \"type\", \"host\" ]\n    }\n  }\n}\n\noutput {\n  elasticsearch { hosts => &#91;\"localhost:9200\"] }\n  stdout { codec => rubydebug }\n}<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Now try restarting the logstash using following command: systemctl restart logstash<\/li><li>Or try this command is service not found:  sudo\u00a0\/usr\/share\/logstash\/bin\/system-install\u00a0\/etc\/logstash\/startup.options\u00a0systemd <\/li><li>Download Elasticsearch rpm file from https:\/\/artifacts.elastic.co\/downloads\/elasticsearch\/elasticsearch-7.3.1-x86_64.rpm<\/li><li> rpm\u00a0-Uvh\u00a0elasticsearch-*.rpm <\/li><li> Edit\u00a0elasticsearch\u00a0file\u00a0in\u00a0\/etc\/elasticsearch\/elasticsearch.yml\u00a0with\u00a0following\u00a0changes: <\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>1. Change cluster name to ossec\n2. Change the host ip address (network.host: 127.0.0.1)\n3. node.name: ossec-server-node-1<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li> systemctl\u00a0enable\u00a0elasticsearch <\/li><li> systemctl\u00a0start\u00a0elasticsearch <\/li><li>Download Kibana rpm file from https:\/\/artifacts.elastic.co\/downloads\/kibana\/kibana-7.3.1-x86_64.rpm<\/li><li>rpm -Uvh kibana-*.rpm<\/li><li>Edit kibana file in \/etc\/kibana\/kibana.yml with following changes:<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>1. Change elasticsearch information if needed. (elasticsearch.hosts: &#91;\"http:\/\/127.0.0.1:9200\"] or elasticsearch.url: \"http:\/\/localhost:9200\")\n\n2. Change kibana ip address to 0.0.0.0 (server.port: 5601, server.host: \"0.0.0.0\")<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>systemctl enable kibana<\/li><li>systemctl start kibana<\/li><li>Try accessing you kibana dashboard at http:\/\/server-ip:5601 if not able to try opening specific port in iptables<\/li><\/ul>\n\n\n\n<p>REFERENCES:<\/p>\n\n\n\n<p><a href=\"https:\/\/www.elastic.co\/guide\/en\/logstash\/current\/configuration.html\">https:\/\/www.elastic.co\/guide\/en\/logstash\/current\/configuration.html<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/elatov.github.io\/2016\/04\/ossec-monitoring-with-splunk-and-elk\/\">https:\/\/elatov.github.io\/2016\/04\/ossec-monitoring-with-splunk-and-elk\/<\/a><\/p>\n\n\n\n<p>Email me for help : x786@protonmail.ch<\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Monitoring logs is an important part of active defense. With that being said OSSEC is an industry-standard for HIDS, as being used by many popular commercial tools like Alienvault OSSIM and USM. Searching through the internet you will find official OSSEC web interface. But it cannot be of much use if you are looking forward &#8230; <a title=\"Getting OSSEC Server Logs into ELK stack\" class=\"read-more\" href=\"https:\/\/snehpatel.com\/index.php\/2019\/10\/12\/getting-ossec-server-logs-into-elk-stack\/\" aria-label=\"Read more about Getting OSSEC Server Logs into ELK stack\">Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[3,9],"tags":[],"class_list":["post-125","post","type-post","status-publish","format-standard","hentry","category-logging","category-systme"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.3 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Getting OSSEC Server Logs into ELK stack - Sneh Patel<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/snehpatel.com\/index.php\/2019\/10\/12\/getting-ossec-server-logs-into-elk-stack\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Getting OSSEC Server Logs into ELK stack - Sneh Patel\" \/>\n<meta property=\"og:description\" content=\"Monitoring logs is an important part of active defense. With that being said OSSEC is an industry-standard for HIDS, as being used by many popular commercial tools like Alienvault OSSIM and USM. Searching through the internet you will find official OSSEC web interface. But it cannot be of much use if you are looking forward ... Read more\" \/>\n<meta property=\"og:url\" content=\"https:\/\/snehpatel.com\/index.php\/2019\/10\/12\/getting-ossec-server-logs-into-elk-stack\/\" \/>\n<meta property=\"og:site_name\" content=\"Sneh Patel\" \/>\n<meta property=\"article:published_time\" content=\"2019-10-12T19:07:25+00:00\" \/>\n<meta name=\"author\" content=\"Sneh Patel\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Sneh Patel\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/snehpatel.com\\\/index.php\\\/2019\\\/10\\\/12\\\/getting-ossec-server-logs-into-elk-stack\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/snehpatel.com\\\/index.php\\\/2019\\\/10\\\/12\\\/getting-ossec-server-logs-into-elk-stack\\\/\"},\"author\":{\"name\":\"Sneh Patel\",\"@id\":\"https:\\\/\\\/snehpatel.com\\\/#\\\/schema\\\/person\\\/a39105bc63f7e11a0e07b12a4c3dda73\"},\"headline\":\"Getting OSSEC Server Logs into ELK stack\",\"datePublished\":\"2019-10-12T19:07:25+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/snehpatel.com\\\/index.php\\\/2019\\\/10\\\/12\\\/getting-ossec-server-logs-into-elk-stack\\\/\"},\"wordCount\":345,\"commentCount\":1,\"publisher\":{\"@id\":\"https:\\\/\\\/snehpatel.com\\\/#\\\/schema\\\/person\\\/a39105bc63f7e11a0e07b12a4c3dda73\"},\"articleSection\":[\"Logging\",\"System\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/snehpatel.com\\\/index.php\\\/2019\\\/10\\\/12\\\/getting-ossec-server-logs-into-elk-stack\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/snehpatel.com\\\/index.php\\\/2019\\\/10\\\/12\\\/getting-ossec-server-logs-into-elk-stack\\\/\",\"url\":\"https:\\\/\\\/snehpatel.com\\\/index.php\\\/2019\\\/10\\\/12\\\/getting-ossec-server-logs-into-elk-stack\\\/\",\"name\":\"Getting OSSEC Server Logs into ELK stack - Sneh Patel\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/snehpatel.com\\\/#website\"},\"datePublished\":\"2019-10-12T19:07:25+00:00\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/snehpatel.com\\\/index.php\\\/2019\\\/10\\\/12\\\/getting-ossec-server-logs-into-elk-stack\\\/\"]}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/snehpatel.com\\\/#website\",\"url\":\"https:\\\/\\\/snehpatel.com\\\/\",\"name\":\"Sneh Patel\",\"description\":\"Cyber Security Blog\",\"publisher\":{\"@id\":\"https:\\\/\\\/snehpatel.com\\\/#\\\/schema\\\/person\\\/a39105bc63f7e11a0e07b12a4c3dda73\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/snehpatel.com\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\\\/\\\/snehpatel.com\\\/#\\\/schema\\\/person\\\/a39105bc63f7e11a0e07b12a4c3dda73\",\"name\":\"Sneh Patel\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/i0.wp.com\\\/snehpatel.com\\\/wp-content\\\/uploads\\\/2020\\\/09\\\/cropped-Slide4-1.jpg?fit=672%2C222&ssl=1\",\"url\":\"https:\\\/\\\/i0.wp.com\\\/snehpatel.com\\\/wp-content\\\/uploads\\\/2020\\\/09\\\/cropped-Slide4-1.jpg?fit=672%2C222&ssl=1\",\"contentUrl\":\"https:\\\/\\\/i0.wp.com\\\/snehpatel.com\\\/wp-content\\\/uploads\\\/2020\\\/09\\\/cropped-Slide4-1.jpg?fit=672%2C222&ssl=1\",\"width\":672,\"height\":222,\"caption\":\"Sneh Patel\"},\"logo\":{\"@id\":\"https:\\\/\\\/i0.wp.com\\\/snehpatel.com\\\/wp-content\\\/uploads\\\/2020\\\/09\\\/cropped-Slide4-1.jpg?fit=672%2C222&ssl=1\"},\"sameAs\":[\"http:\\\/\\\/snehpatel.com\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Getting OSSEC Server Logs into ELK stack - Sneh Patel","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/snehpatel.com\/index.php\/2019\/10\/12\/getting-ossec-server-logs-into-elk-stack\/","og_locale":"en_US","og_type":"article","og_title":"Getting OSSEC Server Logs into ELK stack - Sneh Patel","og_description":"Monitoring logs is an important part of active defense. With that being said OSSEC is an industry-standard for HIDS, as being used by many popular commercial tools like Alienvault OSSIM and USM. Searching through the internet you will find official OSSEC web interface. But it cannot be of much use if you are looking forward ... Read more","og_url":"https:\/\/snehpatel.com\/index.php\/2019\/10\/12\/getting-ossec-server-logs-into-elk-stack\/","og_site_name":"Sneh Patel","article_published_time":"2019-10-12T19:07:25+00:00","author":"Sneh Patel","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Sneh Patel","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/snehpatel.com\/index.php\/2019\/10\/12\/getting-ossec-server-logs-into-elk-stack\/#article","isPartOf":{"@id":"https:\/\/snehpatel.com\/index.php\/2019\/10\/12\/getting-ossec-server-logs-into-elk-stack\/"},"author":{"name":"Sneh Patel","@id":"https:\/\/snehpatel.com\/#\/schema\/person\/a39105bc63f7e11a0e07b12a4c3dda73"},"headline":"Getting OSSEC Server Logs into ELK stack","datePublished":"2019-10-12T19:07:25+00:00","mainEntityOfPage":{"@id":"https:\/\/snehpatel.com\/index.php\/2019\/10\/12\/getting-ossec-server-logs-into-elk-stack\/"},"wordCount":345,"commentCount":1,"publisher":{"@id":"https:\/\/snehpatel.com\/#\/schema\/person\/a39105bc63f7e11a0e07b12a4c3dda73"},"articleSection":["Logging","System"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/snehpatel.com\/index.php\/2019\/10\/12\/getting-ossec-server-logs-into-elk-stack\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/snehpatel.com\/index.php\/2019\/10\/12\/getting-ossec-server-logs-into-elk-stack\/","url":"https:\/\/snehpatel.com\/index.php\/2019\/10\/12\/getting-ossec-server-logs-into-elk-stack\/","name":"Getting OSSEC Server Logs into ELK stack - Sneh Patel","isPartOf":{"@id":"https:\/\/snehpatel.com\/#website"},"datePublished":"2019-10-12T19:07:25+00:00","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/snehpatel.com\/index.php\/2019\/10\/12\/getting-ossec-server-logs-into-elk-stack\/"]}]},{"@type":"WebSite","@id":"https:\/\/snehpatel.com\/#website","url":"https:\/\/snehpatel.com\/","name":"Sneh Patel","description":"Cyber Security Blog","publisher":{"@id":"https:\/\/snehpatel.com\/#\/schema\/person\/a39105bc63f7e11a0e07b12a4c3dda73"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/snehpatel.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":["Person","Organization"],"@id":"https:\/\/snehpatel.com\/#\/schema\/person\/a39105bc63f7e11a0e07b12a4c3dda73","name":"Sneh Patel","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/i0.wp.com\/snehpatel.com\/wp-content\/uploads\/2020\/09\/cropped-Slide4-1.jpg?fit=672%2C222&ssl=1","url":"https:\/\/i0.wp.com\/snehpatel.com\/wp-content\/uploads\/2020\/09\/cropped-Slide4-1.jpg?fit=672%2C222&ssl=1","contentUrl":"https:\/\/i0.wp.com\/snehpatel.com\/wp-content\/uploads\/2020\/09\/cropped-Slide4-1.jpg?fit=672%2C222&ssl=1","width":672,"height":222,"caption":"Sneh Patel"},"logo":{"@id":"https:\/\/i0.wp.com\/snehpatel.com\/wp-content\/uploads\/2020\/09\/cropped-Slide4-1.jpg?fit=672%2C222&ssl=1"},"sameAs":["http:\/\/snehpatel.com"]}]}},"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/snehpatel.com\/index.php\/wp-json\/wp\/v2\/posts\/125","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/snehpatel.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/snehpatel.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/snehpatel.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/snehpatel.com\/index.php\/wp-json\/wp\/v2\/comments?post=125"}],"version-history":[{"count":0,"href":"https:\/\/snehpatel.com\/index.php\/wp-json\/wp\/v2\/posts\/125\/revisions"}],"wp:attachment":[{"href":"https:\/\/snehpatel.com\/index.php\/wp-json\/wp\/v2\/media?parent=125"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/snehpatel.com\/index.php\/wp-json\/wp\/v2\/categories?post=125"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/snehpatel.com\/index.php\/wp-json\/wp\/v2\/tags?post=125"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}