All Apps and Add-ons

Splunk Add-on for OSSEC: OSSEC & Splunk Integration?

test_qweqwe
Builder

Hi.

I'm trying this:
Splunk Add-on for OSSEC
Reporting and Management for OSSEC

Some logs not parsing property and the log structure itself that parsed have many duplicates information in fields.
I mean these logs do not give me super results for monitoring and to be trust in 80% i can get more useful information from raw data than with the processed add-on.

And it seems to me that I need somehow reconfigure OSSEC conf.
(but I'm not found any information, off splunk docs have little information about it)

My question: if u can, give me more information about OSSEC & Splunk Integration, some blogs, other implementations. tricks to better monitor by OSSEC.

Thanks!

0 Karma

test_qweqwe
Builder

I can send screenshots if you will request it.
I am not did it before, coz there are many confidential information and i was lazy to paint it 😞

0 Karma

att35
Builder

Hi,

Can you give some details/examples on "logs not getting parsed properly" ? We have the same combination you mentioned and so far it has served well. The app "Reporting and Management for OSSEC" has some transforms/field extractions which we need for custom dashboards, whereas "Splunk add-on for OSSEC" does a good job for CIM compatibility of OSSEC data, so we use both in different capacity.

Thanks,

~ Abhi

0 Karma

pfgrobler
New Member

Abhi
Are you passing in the same data twice once via
"Splunk Add-on for OSSEC" and also via "Reporting and Management for OSSEC"

0 Karma

pfgrobler
New Member

Do you feed the same data into splunk twice ?

Once into the ossec event type via syslog and the "Splunk Add-on for OSSEC"
and then a second time via "Reporting and Management for OSSEC"

0 Karma

test_qweqwe
Builder

For example№3 log that not parsed:

Jan  4 14:56:14 172.16.9.25 Jan  4 14:55:22 %host_name% ossec: Alert Level: 7; Rule: 2932 - New Yum package installed.; Location: %host_name%->/var/log/messages; classification:  syslog,yum,config_changed,; Jan  4 14:55:21 srv25sec yum[23540]: Installed: kernel-3.10.0-693.11.1.el7.x86_64

This part not parsed in field

Installed: kernel-3.10.0-693.11.1.el7.x86_64
0 Karma

test_qweqwe
Builder

Bump! Up!

0 Karma

pfgrobler
New Member

Have you had any success ?

I'm experiencing a similar issue using "Splunk Add-on for OSSEC"
events are received by splunk and some fields are extracted to the CIM but fields like the
src and src_user are not.

This causes a number of alerts/ dashboards to report the in Splunk ES to report the system and the as unknown.

0 Karma

test_qweqwe
Builder

Also, did u use format log - splunk? it's not helped me, but change a little parsing of logs.

<syslog_output>
  <server>10.0.0.1</server>
  <port>514</port>
  <format>splunk</format>
</syslog_output>

U can use: default, cef, splunk, json

0 Karma

test_qweqwe
Builder

For example№2 log that not parsed:

classification: syslog,attacks,; srcip: %ip% user: - ; 2017 Dec 07 13:03:16 WinEvtLog: Security: AUDIT_SUCCESS(4624): Microsoft-Windows-Security-Auditing: %username% %dns_name% %host_name% An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 New Logon: Security ID: S-1-5-21-1877622112-2052110481-2879200121-1111 Account Name: %username% Account Domain: %dns_name% Logon ID: 0x9b1473a Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: NIZHYN Source Network Address: %ip% Source Port: 50149 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed.

It's field body and there is useful information like %username%,

Microsoft-Windows-Security-Auditing: %username%

but it not parsed in fields.

0 Karma

test_qweqwe
Builder

I need some times for it 🙂

Anyway, can you help with understanding some OSSEC logs as:

For example№1 log that not parsed:

Jan  6 05:27:24 172.16.9.25 Jan  6 05:27:00 %hostname% ossec: Alert Level: 3; Rule: 516 - System Audit event.; Location: (%hostname%) %ip%->rootcheck; classification:  ossec,rootcheck,; System Audit: SSH Hardening - 9: Wrong Maximum number of authentication attempts {PCI_DSS: 2.2.4}. File: /etc/ssh/sshd_config. Reference: 9 .
  • What another PCI DSS requirements monitoring OSSEC?
  • And what the Reference: 9 and Hardening - 9:? What it mean? It's a same aka numeric?

Where I can get information about it and what I need to know? What I must have need to know?
I need some share experience, some advice if you can 🙂

0 Karma
Get Updates on the Splunk Community!

Happy CX Day to our Community Superheroes!

Happy 10th Birthday CX Day!What is CX Day? It’s a global celebration recognizing innovation and success in the ...

Check out This Month’s Brand new Splunk Lantern Articles

Splunk Lantern is a customer success center providing advice from Splunk experts on valuable data insights, ...

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...