'ossec'에 해당되는 글 3건

  1. 2013.11.23 OSSEC Log Management with Elasticsearch
  2. 2013.11.12 OSSEC Server, Client, Web UI and Analogi Dashboard Installation tutorial
  3. 2013.11.05 Configuring OSSEC with MySQL and Analogi
2013.11.23 16:35

OSSEC Log Management with Elasticsearch

Log Management System Architecture

The OSSEC log management system I’ll discuss here relies on three open source technologies, in addition to OSSEC:

  • Logstash – Parses and stores syslog data to Elasticsearch
  • Elasticsearch - General purpose indexing and data storage system
  • Kibana – User interface that comes with ElasticSearch

Logstash is configured to receive OSSEC syslog output then parse it and forward to Elasticsearch for indexing and long terms storage. Kibana is designed to easily submit queries to Elasticsearch and display results in a number of user designed dashboards. So the steps involved for developing an OSSEC log management system with Elasticsearch are:

  1. Configure OSSEC to output alerts to syslog.
  2. Install and configure Logstash to input OSSEC alerts, parse them and input the fields to Elasticsearch.
  3. Install and configure Elasticsearch to store OSSEC alerts from Logstash.
  4. Install and configure Kibana to work with Elasticsearch.

Configure OSSEC Syslog Output

To keep this article as brief as possible, I won’t go over how to install OSSEC. That is well documented on the OSSEC Project website. To configure OSSEC to send alerts to another system via syslog follow these steps:

  1. Login as root to the OSSEC server.
  2. Open /var/ossec/etc/ossec.conf in an editor.
  3. Let’s assume you want to send the alerts to a syslog server at 10.0.0.1 listening on UDP port 9000.  Add these lines to ossec.conf right above the </ossec_config> statment:
    <syslog_output>
       <server>10.0.0.1</server>
       <port>9000</port>
       <format>default</format>
    </syslog_output>
  4. Enable syslog output with this command:
    /var/ossec/bin/ossec-control enable client-syslog
  5. Restart the OSSEC server with this command:
    /var/ossec/bin/ossec-control start

Install and Configure Logstash

Now Logstash needs to be configured to receive OSSEC syslog output on UDP port 9000 or whatever port you decide to use. The easiest way to do that is to use the precompiled Logstash JAR that includes all the necessary core functionality and plugins you need. The version of logstash used for this article was logstash-1.3.3.flatjar.jar. Note that Logstash as of version 1.4.x is run differently than documented here.

The configuration file you need to capture and parse syslog input is adapted from the rsyslog recipe from Logstash cookbook with a few tweaks for OSSEC derived from the blog by Dan Parriott, my colleague on the OSSEC Project team, who was an early adopter of Logstash and Elasticsearch:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
input {
# stdin{}
  udp {
     port => 9000
     type => "syslog"
  }
}
 
filter {
  if [type] == "syslog" {
    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_host} %{DATA:syslog_program}: Alert Level: %{BASE10NUM:Alert_Level}; Rule: %{BASE10NUM:Rule} - %{GREEDYDATA:Description}; Location: %{GREEDYDATA:Details}" }
      add_field => [ "ossec_server", "%{host}" ]
    }
    mutate {
      remove_field => [ "syslog_hostname", "syslog_message", "syslog_pid", "message", "@version", "type", "host" ]
    }
  }
}
 
output {
#  stdout {
#    codec => rubydebug
#  }
   elasticsearch_http {
     host => "10.0.0.1"
   }
}

Lines [1 – 7] Every Logstash syslog configuration file contains input, filter and output sections. The input section in this case tells Logstash to listen for syslog UDP packets on any IP address and port 9000. For debugging you can uncomment line 2 to get input from stdin. This is handy when testing your parsing code in the filter section

Lines [9 – 11] The filter section divides up the incoming syslog lines that are placed in the logstash input field called “message” with the “match” directive. Logstash grok filters do the basic pattern matching and parsing. You can get a detailed explanation of how grok works on the Logstash grok documentation page. The syntax for parsing fields is %{<pattern>:<field>}, where <pattern> is what will be searched for and <field> is the name of the field that is found.

Line [12] The syslog_timestampsyslog_hostsyslog_program and syslog_pid fields are parsed first. The next three fields are specific to OSSEC: Alert_levelRule and Description. The remainder of the message is placed into Details. Here is the parsing sequence for these fields:

  1. Alert_level – skip past the " Alert level: " string then extract the numeric characters up to the next space.
  2. Rule – skip past the " Rule: " string then extract the numeric characters up to the ” – ” string.
  3. Description – skip past the " - " string then extract any characters, including spaces, up to the "; Location: " string.
  4. Details – skip past the "; Location: " string then extract the remaining characters, including spaces, from the original “message” field.

Line [13] The host field, containing the name of the host on which Logstash is running is mapped to the logstash_host field with the add_field directive in grok.

Lines [15 – 17] All the fields are parsed so the extraneous fields are trimmed from the output with the remove_field directive in the mutate section.

Lines [21 – 24] The output section sends the parsed output to Elasticsearch or to stdout.  You can uncomment codec => rubydebug statement to output the parsed fields in JSON format for debugging.

Lines [25 – 26] The elasticsearch_http directive sends the Logstash output to the Elasticsearch instance running at the IP address specified by the host field.  In this case Elasticsearch is running at IP address 10.0.0.1.

Assuming you saved your configuration in a file called logstash.conf that resides in the same directory as Logstash itself, run Logstash with this command.

java -jar logstash-1.3.3-flatjar.jar agent -f ./logstash.conf

You’ll need at least Java 1.6 on your system to be able to run this command.

Install and Configure Elasticsearch

The easiest way to install Elasticsearch is from RPMs or DEB packages. I use CentOS most of the time so I’ll discuss how to install from RPMs. You can install Elasticsearch in a cluster, but to keep things simple,  I’ll cover installation on a single server and will assume that is the same system where Logstash is installed.

With that said, here is how you install and configure Elasticsearch:

  1. Download the RPMS:
    wget https://download.elasticsearch.org/elasticsearch/elasticsearch/elasticsearch-0.90.7.noarch.rpm --no-check-certificate
  2. Login as root.
  3. Install the RPMs with this command:
    rpm -Uvh elasticsearch-0.90.7.noarch.rpm
  4. The RPM will install Elasticsearch in /usr/share/elasticsearch and the configuration files /etc/elasticsearch/elasticsearch.yml and /etc/sysconfig/elasticsearch. It also creates a service script to start, stop and check the status of Elasticsearch. Start Elasticsearch with the service command:
    service elasticsearch start

By default, the Elasticsearch files are maintained in /var/lib/elasticsearch and logs in /var/log/elasticsearch. You can change that in elasticsearch.yml, but for now leave them as is. However let’s set the name of the Elasticsearch cluster to “mycluster” to match the cluster name setting from the Logstash config file of the previous section.  To do that open /etc/elasticsearch/elasticsearch.yml and set the following line as shown:

# Cluster name identifies your cluster for auto-discovery. If you're running
# multiple clusters on the same network, make sure you're using unique names.
#
cluster.name: mycluster

Install and Configure Kibana

At this point you are able to collect OSSEC alerts and query them with the Elasticsearch RESTful API. But Elasticsearch provides a web console called Kibana which enables you to build consoles that post queries automatically to your Elasticsearch backend. To install and configure Kibana follow this procedure.

  1. Download Kibana
    wget https://download.elasticsearch.org/kibana/kibana/kibana-3.0.0milestone4.zip
    --no-check-certificate
  2. Unzip the downloaded package.
  3. Copy the src directory in the unzipped Kibana directory to your the Apache web server htdocs directory or Tomcat webapps directory depending on which web server you are using.
  4. Change the name of the source directory to “kibana”.
  5. Open the kibana/config.js file in an editor.
  6. Change the “elasticsearch:” field value to the IP address of your Elasticsearch system. For the example system I’ve been using so far the IP would be 10.0.0.1 so the line would look like this (including the comma):
    elasticsearch: "http://10.0.0.1:9200",

To test the installation, open the Kibana URL – http://10.0.0.1/kibana/ – in a browser. You should get a screen that looks like this:

To get to the console screen, click on the Logstash Dashboard link in the Yes bullet point under Are you a Logstash User?

Query Elasticsearch with Kibana

If you let your OSSEC system run for a while you should have collected some alerts that were stored in Elasticsearch. After going to the Logstash Dashboard, you’ll see a screen that has some panels on it. The top panel queries Elasticsearch for all alerts by default.

To get specific alerts, you enter a query string for one of the OSSEC fields, such as “Rule = 70001″, then you’ll see the results in a the panel called EVENTS OVER TIME that shows counts of the events returned from Elasticsearch over time. You can do additional queries by clicking on the plus icon of the most recent query then entering the new query strings and clicking on the magnifying glass icon. The illustration below shows results for three queries that I entered looking for alerts for OSSEC rules 700001, 591 and 700012.

The alerts fields are displayed in the panel below  EVENTS OVER TIME. You select the fields you want to see by clicking on the checkboxes for the fields you want to display in the Fields list shown in the lower left hand corner of the illustration. In this case, I’ve selected @timestamp,Alert_levelRuleDescription and Details.

As new alerts are stored in Elasticsearch, they will appear in the Kibana console if your refresh the screen in your browser. Alternatively you can have the console refresh automatically by clicking the time scale menu item, which is labeled a day ago to a few seconds ago, then select Auto-refresh > and one of the several refresh times ranging from seconds to 1 day. The panels will then refresh at every interval you specified and you should see new alerts pop up on the screen, assuming those OSSEC alerts are generated on your OSSEC agent systems.

When you get this system working try experimenting with different queries for other OSSEC alerts. I’ve just scratched the surface of what can be done with Elasticsearch.



출처 : vichargrave.com


Trackback 0 Comment 0
2013.11.12 19:50

OSSEC Server, Client, Web UI and Analogi Dashboard Installation tutorial

OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response. It runs on most operating systems, including Linux, MacOS, Solaris, HP-UX, AIX and Windows. It also includes agentless monitoring for use with for example Cisco, HP or Juniper hardware.

This tutorial covers the installation of the OSSEC server, the standard OSSEC Web UI and the Analogi dashboard on Ubuntu 12.04. It also covers OSSEC setup with MySQL support, including a Makefile bugfix. Last but not least it shows you how to install the OSSEC agent on a *NIX system.

There is a new version of OSSEC, 2.8. There is also a new version of this tutorial, for the new OSSEC and for Ubuntu 14.04. Click here to read it.

This tutorial is written for an ubuntu 12.04 OSSEC server, but can be easily adapted to other *NIX operating systems. It only covers basic OSSEC client/server configuration, not automatic blocking or comprehensive configuration settings. It gets you started, the rest is available in the documentation: http://www.ossec.net/doc/

Steps

  • Installing development packages
  • Installing Apache, PHP and MySQL
  • Configuring MySQL
  • Compiling the OSSEC server
    • Makefile fix for Ubuntu
  • Basic OSSEC setup with MySQL
  • Installing OSSEC Web UI
  • Installing Analogi Web Dashboard

  • Installing and configuring a client

Requirements

  • An Ubuntu 12.04 server
  • Apache2, PHP, MySQL and development packages
  • OSSEC clients to monitor (*NIX or Windows machines, Cisco switches etc).

Installing development packages

OSSEC is installed from source, therefore you need development packages. This is both for the OSSEC clients as for the OSSEC server:

apt-get install build-essential make libssl-dev

Installing Apache, MySQL and PHP

This is fairly simple on Ubuntu. It is all covered with apt:

apt-get install mysql-server libmysqlclient-dev mysql-client apache2 php5 libapache2-mod-php5 php5-mysql php5-curl php5-gd php5-intl php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl

Remember to give a strong root password for MySQL. Next finish MySQL with a secure installation:

mysql_secure_installation

Accept all the suggested options. Now restart all requires services:

/etc/init.d/apache2 restart
/etc/init.d/mysqld restart

Compiling the OSSEC server

Download and verify OSSEC, either via wget or from the website: http://www.ossec.net/?page_id=19

wget http://www.ossec.net/files/ossec-hids-2.7.tar.gz

md5sum ossec-hids-2.7.tar.gz
ossec-hids-2.7.tar.gz: 71cd21a20f22b8eafffa3b57250f0a70

From the OSSEC website:

MD5(ossec-hids-2.7.tar.gz)= 71cd21a20f22b8eafffa3b57250f0a70
SHA1(ossec-hids-2.7.tar.gz)= 721aa7649d5c1e37007b95a89e685af41a39da43

If it is correct, then extract it:

tar -xf ossec-hids-2.7.tar.gz
cd ossec-hids-2.7

We first need to fix MySQL support in the installation. Read on:

Makefile fix for Ubuntu

Because of some Ubuntu specific errors in compiling with MySQL support we need to edit the MySQL Makefile:

cd src
vim os_dbd/Makefile

Change this line:

${CC} ${CFLAGS} ${OS_LINK} ${DBFLAGS} ${CDB} ${LOCAL} ${OBJS} -o ${NAME}

To this:

 ${CC} ${CFLAGS} ${OS_LINK} ${DBFLAGS} ${LOCAL} ${OBJS} -o ${NAME} ${CDB}

This is only needed in Ubuntu, Debian works fine.

Run:

make setdb
Error: PostgreSQL client libraries not installed.
Info: Compiled with MySQL support.

Continue with the compilation/installation:

cd ../
./install.sh

  ** For installation in English, choose [en].
 OSSEC HIDS v2.7 Installation Script - http://www.ossec.net

 You are about to start the installation process of the OSSEC HIDS.
 You must have a C compiler pre-installed in your system.
 If you have any questions or comments, please send an e-mail
 to dcid@ossec.net (or daniel.cid@gmail.com).

  - System: Linux vps1.sparklingclouds.nl 3.2.0-042stab076.8
  - User: root
  - Host: vps1.sparklingclouds.nl
  -- Press ENTER to continue or Ctrl-C to abort. --
1- What kind of installation do you want (server, agent, local, hybrid or help)? server
  - Server installation chosen.

2- Setting up the installation environment.
 - Choose where to install the OSSEC HIDS [/var/ossec]:
    - Installation will be made at  /var/ossec .

3- Configuring the OSSEC HIDS.
  3.1- Do you want e-mail notification? (y/n) [y]:
   - What's your e-mail address? ossec@example.org
   - We found your SMTP server as: mail.raymii.org.
   - Do you want to use it? (y/n) [y]: y
   --- Using SMTP server:  mail.raymii.org.

  3.2- Do you want to run the integrity check daemon? (y/n) [y]:
   - Running syscheck (integrity check daemon).

  3.3- Do you want to run the rootkit detection engine? (y/n) [y]:
   - Running rootcheck (rootkit detection).

  3.4- Active response allows you to execute a specific
       command based on the events received. For example,
       you can block an IP address or disable access for
       a specific user.
       More information at:
       http://www.ossec.net/en/manual.html#active-response

   - Do you want to enable active response? (y/n) [y]:
     - Active response enabled.

   - By default, we can enable the host-deny and the
     firewall-drop responses. The first one will add
     a host to the /etc/hosts.deny and the second one
     will block the host on iptables (if linux) or on
     ipfilter (if Solaris, FreeBSD or NetBSD).
   - They can be used to stop SSHD brute force scans,
     portscans and some other forms of attacks. You can
     also add them to block on snort events, for example.

   - Do you want to enable the firewall-drop response? (y/n) [y]:
     - firewall-drop enabled (local) for levels >= 6

   - Default white list for the active response:
      - 205.185.112.68
      - 205.185.112.69
   - Do you want to add more IPs to the white list? (y/n)? [n]:

  3.5- Do you want to enable remote syslog (port 514 udp)? (y/n) [y]:
   - Remote syslog enabled.

  3.6- Setting the configuration to analyze the following logs:
    -- /var/log/messages
    -- /var/log/auth.log
    -- /var/log/syslog
    -- /var/log/mail.info
    -- /var/log/dpkg.log

 - If you want to monitor any other file, just change
   the ossec.conf and add a new localfile entry.
   Any questions about the configuration can be answered
   by visiting us online at http://www.ossec.net .
   --- Press ENTER to continue ---

5- Installing the system
 - Running the Makefile
INFO: Little endian set.

 *** Making zlib (by Jean-loup Gailly and Mark Adler)  ***
[...]
 *** Making os_xml ***
[...]
 *** Making os_regex ***
[...]
 *** Making os_net ***
[...]
 *** Making shared ***
[...]
 *** Making config ***
[...]
 *** Making os_maild ***
[...]
 *** Making os_dbd ***
[...]
 *** Making os_csyslogd ***
[...]
 *** Making agentlessd ***
[...]
 *** Making os_execd ***
[...]
 *** Making analysisd ***
[...]
 *** Making logcollector ***
[...]
 *** Making remoted ***
[...]
 *** Making client-agent ***
[...]
 *** Making addagent ***
[...]
 *** Making util ***
[...]
 *** Making rootcheck ***
[...]
 *** Making syscheckd ***
[...]
 *** Making monitord ***
[...]
 *** Making os_auth ***
[...]

 - System is Debian (Ubuntu or derivative).
 - Init script modified to start OSSEC HIDS during boot.
 - Configuration finished properly.
 - To start OSSEC HIDS:
                /var/ossec/bin/ossec-control start

 - To stop OSSEC HIDS:
                /var/ossec/bin/ossec-control stop

 - The configuration can be viewed or modified at /var/ossec/etc/ossec.conf
    Thanks for using the OSSEC HIDS.
    If you have any question, suggestion or if you find any bug,
    contact us at contact@ossec.net or using our public maillist at
    ossec-list@ossec.net
    ( http://www.ossec.net/main/support/ ).
    More information can be found at http://www.ossec.net
    ---  Press ENTER to finish (maybe more information below). ---

 - In order to connect agent and server, you need to add each agent to the server.
   Run the 'manage_agents' to add or remove them:

   /var/ossec/bin/manage_agents

   More information at:
   http://www.ossec.net/en/manual.html#ma

OSSEC is now installed. Restart it:

/var/ossec/bin/ossec-control restart

Continue to the next step for MySQL setup.

Configuring MySQL

We need to create a user and database for OSSEC. Go to a MySQL shell:

mysql -u root -p
Enter password:
[...]

mysql> create database ossec;
Query OK, 1 row affected (0.02 sec)

grant INSERT,SELECT,UPDATE,CREATE,DELETE,EXECUTE on ossec.* to ossec_u;
Query OK, 0 rows affected (0.00 sec)

set password for ossec_u = PASSWORD('Passw0rd');
Query OK, 1 row affected (0.01 sec)

flush privileges;
Query OK, 0 rows affected (0.00 sec)

quit;

The database also needs a schema. OSSEC provides a schema, it is located in the extracted OSSEC folder, src/os_dbd. Import it into MySQL:

mysql -u root -p ossec < src/os_dbd/mysql.schema

That's it for the database setup. Continue to see the OSSEC configuration.

OSSEC MySQL configuration

We have to add the database config to /var/ossec/etc/ossec.conf:

<ossec_config>
    <database_output>
        <hostname>127.0.0.1</hostname>
        <username>ossec_u</username>
        <password>Passw0rd</password>
        <database>ossec</database>
        <type>mysql</type>
    </database_output>
</ossec_config>

Save it, then enable the database in OSSEC:

/var/ossec/bin/ossec-control enable database
/var/ossec/bin/ossec-control restart 

Installing OSSEC Web UI

This is also quite simple. Because we've already set up Apache and PHP, we can just download the web UI and extract to /var/www/:

wget http://www.ossec.net/files/ossec-wui-0.8-beta-1.tar.gz
tar -xf ossec-wui-0.8-beta-1.tar.gz
mkdir /var/www/ossec/
mv ossec-wui-0.8-beta-1/* /var/www/ossec/
chown www-data:www-data /var/www/ossec/tmp/
chmod 666 /var/www/ossec/tmp

We use the web UI Beta because there are a lot of errors (like broken search) in the stable 0.3 version. We also set the correct permissions on the tmp/ folder. Afterwards the web ui is visible at http://hostname/ossec/.

Installing Analogi Web Dashboard

The Analogi dashboard is a nice and informative dashboard around OSSEC, which provides more visual information then the standard Web UI. The standard Web UI has better search functions, the Dashboard can be used for example on a Wall Mounted monitor and such.

Installation consists out of cloning the git repo and entering the settings file:

cd /var/www
git clone https://github.com/ECSC/analogi.git
cp analogi/db_ossec.php.new analogi/db_ossec.php
vim analogi/db_ossec.php        

Edit the relevant settings for the MySQL database configuration. When correctly configured the Analogi webinterface can be found at http://hostname/analogi/.

The OSSEC server is now correctly set up.

Client installation

Download and verify the OSSEC stable .tar.gz file as described above. This time, do an agent installation. See the output below:

root@testclient:~/ossec-hids-2.7# ./install.sh

  ** Para instalao em portugus, escolha [br].
  ** ,  [cn].
  ** Fur eine deutsche Installation wohlen Sie [de].
  **    ,  [el].
  ** For installation in English, choose [en].
  ** Para instalar en Espaol , eliga [es].
  ** Pour une installation en franais, choisissez [fr]
  ** A Magyar nyelv teleptshez vlassza [hu].
  ** Per l'installazione in Italiano, scegli [it].
  ** [jp].
  ** Voor installatie in het Nederlands, kies [nl].
  ** Aby instalowa w jzyku Polskim, wybierz [pl].
  **       , [ru].
  ** Za instalaciju na srpskom, izaberi [sr].
  ** Trke kurulum iin sein [tr].
  (en/br/cn/de/el/es/fr/hu/it/jp/nl/pl/ru/sr/tr) [en]:
 OSSEC HIDS v2.7 Installation Script - http://www.ossec.net

 You are about to start the installation process of the OSSEC HIDS.
 You must have a C compiler pre-installed in your system.
 If you have any questions or comments, please send an e-mail
 to dcid@ossec.net (or daniel.cid@gmail.com).

  - System: Linux testclient.raymii.nl 3.8.0-21-generic-pae
  - User: root
  - Host: testclient.raymii.nl

  -- Press ENTER to continue or Ctrl-C to abort. --

1- What kind of installation do you want (server, agent, local, hybrid or help)? agent
  - Agent(client) installation chosen.

2- Setting up the installation environment.
 - Choose where to install the OSSEC HIDS [/var/ossec]:
    - Installation will be made at  /var/ossec .

3- Configuring the OSSEC HIDS.
./install.sh: 372: ./install.sh: [[: not found

  3.2- Do you want to run the integrity check daemon? (y/n) [y]: y
   - Running syscheck (integrity check daemon).

  3.3- Do you want to run the rootkit detection engine? (y/n) [y]:
   - Running rootcheck (rootkit detection).

  3.4 - Do you want to enable active response? (y/n) [y]:

  3.5- Setting the configuration to analyze the following logs:
    -- /var/log/auth.log
    -- /var/log/syslog
    -- /var/log/dpkg.log

 - If you want to monitor any other file, just change
   the ossec.conf and add a new localfile entry.
   Any questions about the configuration can be answered
   by visiting us online at http://www.ossec.net .

   --- Press ENTER to continue ---

5- Installing the system
 - Running the Makefile
INFO: Little endian set.

Client OSSEC config

Adding a client to OSSEC is quite simple. First you add the client to the server, which gives you a key. Then you add this key to the client, edit the config file on the client and that's it.

First we need to generate a key on the OSSEC server for this client. We do this by running/var/ossec/bin/manage_agents, option A, then entering the hostname, IP and ID for the client we want to add. Do these steps on the OSSEC server!:

root@ossec:~# /var/ossec/bin/manage_agents

****************************************
* OSSEC HIDS v2.7 Agent manager.     *
* The following options are available: *
****************************************
   (A)dd an agent (A).
   (E)xtract key for an agent (E).
   (L)ist already added agents (L).
   (R)emove an agent (R).
   (Q)uit.
Choose your action: A,E,L,R or Q: a

- Adding a new agent (use '\q' to return to the main menu).
  Please provide the following:
   * A name for the new agent: testclient
   * The IP Address of the new agent: 10.0.51.32
   * An ID for the new agent[001]:
Agent information:
   ID:001
   Name:testclient
   IP Address:10.0.51.32

Confirm adding it?(y/n): y
Agent added.

Now we find out the key for the OSSEC client:

root@ossec:~# /var/ossec/bin/manage_agents

****************************************
* OSSEC HIDS v2.7 Agent manager.     *
* The following options are available: *
****************************************
   (A)dd an agent (A).
   (E)xtract key for an agent (E).
   (L)ist already added agents (L).
   (R)emove an agent (R).
   (Q)uit.
Choose your action: A,E,L,R or Q: e

Available agents:
   ID: 001, Name: testclient, IP: 10.0.51.32
Provide the ID of the agent to extract the key (or '\q' to quit): 001

Agent key information for '001' is:
SD[...]AAUjd=

** Press ENTER to return to the main menu.

Then switch to the OSSEC client and execute the manage_agents:

root@ossec:~# /var/ossec/bin/manage_agents

****************************************
* OSSEC HIDS v2.7 Agent manager.     *
* The following options are available: *
****************************************
   (I)mport key from the server (I).
   (Q)uit.
Choose your action: I or Q: i

* Provide the Key generated by the server.
* The best approach is to cut and paste it.
*** OBS: Do not include spaces or new lines.

Paste it here (or '\q' to quit): SD[...]AAUjd=

Agent information:
   ID:001
   Name:testclient
   IP Address:10.0.51.32

Confirm adding it?(y/n): y
Added.
** Press ENTER to return to the main menu.

And then this needs to be in the /var/ossec/etc/ossec.conf file:

<client>
  <server-hostname>ossec.raymii.nl</server-hostname>
</client>

Where ossec.raymii.nl is your OSSEC server URL or IP.

Now restart the OSSEC agents:

/var/ossec/bin/ossec-control restart
Killing ossec-monitord ..
Killing ossec-logcollector ..
Killing ossec-remoted ..
Killing ossec-syscheckd ..
Killing ossec-analysisd ..
Killing ossec-maild ..
Killing ossec-execd ..
Killing ossec-dbd ..
ossec-agentlessd not running ..
OSSEC HIDS v2.7 Stopped
Starting OSSEC HIDS v2.7 (by Trend Micro Inc.)...
Started ossec-dbd...
Started ossec-agentlessd...
Started ossec-maild...
Started ossec-execd...
Started ossec-analysisd...
Started ossec-logcollector...
Started ossec-remoted...
Started ossec-syscheckd...
Started ossec-monitord...
Completed.

That's it. Repeat these steps for any client that needs to be added. There are both puppetfiles and chef cookbooks to manage this process.

Bonus Tips

Here are a few bonus tips/config examples for OSSEC:

Ignoring rules

To very simply ignore rules based on rule id, add them to the XML file located in/var/ossec/rules/local_rules/xml, either on the ossec client for one machine or the ossec server to ignore on all machines:

<!-- Specify here a list of rules to ignore. -->
<!-- 3334 postfix start  -->
<!-- 3333 postfix stop -->
<rule id="100030" level="0">
    <if_sid>3333, 3334</if_sid>
    <description>List of rules to be ignored.</description>
</rule>

Monitoring additional log files

The OSSEC agent by default only monitors a few log files. To add more, edit the/var/ossec/etc/ossec.conf file and add a line like this:

<localfile>
    <location>/var/log/*</location>
    <log_format>syslog</log_format>
</localfile>

This will add all files under /var/log. This might be a lot, you can also just add multiple<localfile> blocks with filenames.

Firewall

You need to allow UDP port 1514 between OSSEC server and clients. Otherwise you get errors like this:

2013/09/06 19:53:00 ossec-agentd: INFO: Using IPv4 for: 10.0.51.31 .
2013/09/06 19:53:21 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: 'ossec.raymii.nl/10.0.51.31'.

Removing OSSEC

If you want to remove OSSEC, either the client or the server, read this tutorial. It covers all the steps required to uninstall OSSEC



출처 : raymii.org



Trackback 0 Comment 0
2013.11.05 19:57

Configuring OSSEC with MySQL and Analogi


I have been using OSSEC for a while now but I always used only plain text logs. While this is not bad, it does not scale really well. I started looking into a way to do it right(tm). I knew OSSEC was compatible with MySQL, and since 2.7 has been released, it gave me an excuse to play with it again.

You will need to enable MySQL in OSSEC (not enabled by default), grab the source then do the following. Note that if upgrading an existing installation, you might want to save the registered client keys, the file to back up is: /var/ossec/etc/client.keys

1
2
3
4
cd ossec-hids-2.7/src
make setdb
cd ..
./install.sh

After you have completed the installation, you need to configure your MySQL server, I used the official documentation to do it. Here is my run down of it:

1
2
3
4
5
6
7
$ mysql -u root -p
mysql> create database ossec;
mysql> grant INSERT,SELECT,UPDATE,CREATE,DELETE,EXECUTE on ossec.* to ossecuser@<ossec ip>;
mysql> set password for ossecuser@<ossec ip>=PASSWORD('ossecpass');
mysql> flush privileges;
mysql> quit
mysql -u root -p ossec < ./src/os_dbd/mysql.schema

You just now need to edit /var/ossec/etc/ossec.conf and add a new section within the config:

1
2
3
4
5
6
7
<database_output>
      <hostname>127.0.0.1</hostname>
      <username>ossecuser</username>
      <password>xxxxxxx</password>
      <database>ossec</database>
      <type>mysql</type>
  </database_output>

And at last, enable MySQL and restart the service:

1
2
/var/ossec/bin/ossec-control enable database
/var/ossec/bin/ossec-control restart

Analogi is a web interface replacement to ossec-wui which is now very dated and spurts too many false positive. To install analogi, go to the main project page and clone it using git:

It is up to you to protect that folder on your webserver as this has potential security risks, I am using NGINX, so here is my setup:

1
2
3
4
location /ossec/analogi {
        auth_basic "Restricted Access";
        auth_basic_user_file htpasswd-file;
}

You then need to rename the config file and change the SQL information

1
mv db_ossec.php.new db_ossec.php

You should now be able to see information gathered from different clients straight into MySQL and using Analogi.


출처 : www.frlinux.eu



Trackback 0 Comment 0