All Apps and Add-ons

Splunk Add-on for OSSEC: OSSEC & Splunk Integration?

test_qweqwe
Builder

Hi.

I'm trying this:
Splunk Add-on for OSSEC
Reporting and Management for OSSEC

Some logs not parsing property and the log structure itself that parsed have many duplicates information in fields.
I mean these logs do not give me super results for monitoring and to be trust in 80% i can get more useful information from raw data than with the processed add-on.

And it seems to me that I need somehow reconfigure OSSEC conf.
(but I'm not found any information, off splunk docs have little information about it)

My question: if u can, give me more information about OSSEC & Splunk Integration, some blogs, other implementations. tricks to better monitor by OSSEC.

Thanks!

0 Karma

test_qweqwe
Builder

I can send screenshots if you will request it.
I am not did it before, coz there are many confidential information and i was lazy to paint it 😞

0 Karma

att35
Builder

Hi,

Can you give some details/examples on "logs not getting parsed properly" ? We have the same combination you mentioned and so far it has served well. The app "Reporting and Management for OSSEC" has some transforms/field extractions which we need for custom dashboards, whereas "Splunk add-on for OSSEC" does a good job for CIM compatibility of OSSEC data, so we use both in different capacity.

Thanks,

~ Abhi

0 Karma

pfgrobler
New Member

Abhi
Are you passing in the same data twice once via
"Splunk Add-on for OSSEC" and also via "Reporting and Management for OSSEC"

0 Karma

pfgrobler
New Member

Do you feed the same data into splunk twice ?

Once into the ossec event type via syslog and the "Splunk Add-on for OSSEC"
and then a second time via "Reporting and Management for OSSEC"

0 Karma

test_qweqwe
Builder

For example№3 log that not parsed:

Jan  4 14:56:14 172.16.9.25 Jan  4 14:55:22 %host_name% ossec: Alert Level: 7; Rule: 2932 - New Yum package installed.; Location: %host_name%->/var/log/messages; classification:  syslog,yum,config_changed,; Jan  4 14:55:21 srv25sec yum[23540]: Installed: kernel-3.10.0-693.11.1.el7.x86_64

This part not parsed in field

Installed: kernel-3.10.0-693.11.1.el7.x86_64
0 Karma

test_qweqwe
Builder

Bump! Up!

0 Karma

pfgrobler
New Member

Have you had any success ?

I'm experiencing a similar issue using "Splunk Add-on for OSSEC"
events are received by splunk and some fields are extracted to the CIM but fields like the
src and src_user are not.

This causes a number of alerts/ dashboards to report the in Splunk ES to report the system and the as unknown.

0 Karma

test_qweqwe
Builder

Also, did u use format log - splunk? it's not helped me, but change a little parsing of logs.

<syslog_output>
  <server>10.0.0.1</server>
  <port>514</port>
  <format>splunk</format>
</syslog_output>

U can use: default, cef, splunk, json

0 Karma

test_qweqwe
Builder

For example№2 log that not parsed:

classification: syslog,attacks,; srcip: %ip% user: - ; 2017 Dec 07 13:03:16 WinEvtLog: Security: AUDIT_SUCCESS(4624): Microsoft-Windows-Security-Auditing: %username% %dns_name% %host_name% An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 New Logon: Security ID: S-1-5-21-1877622112-2052110481-2879200121-1111 Account Name: %username% Account Domain: %dns_name% Logon ID: 0x9b1473a Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: NIZHYN Source Network Address: %ip% Source Port: 50149 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed.

It's field body and there is useful information like %username%,

Microsoft-Windows-Security-Auditing: %username%

but it not parsed in fields.

0 Karma

test_qweqwe
Builder

I need some times for it 🙂

Anyway, can you help with understanding some OSSEC logs as:

For example№1 log that not parsed:

Jan  6 05:27:24 172.16.9.25 Jan  6 05:27:00 %hostname% ossec: Alert Level: 3; Rule: 516 - System Audit event.; Location: (%hostname%) %ip%->rootcheck; classification:  ossec,rootcheck,; System Audit: SSH Hardening - 9: Wrong Maximum number of authentication attempts {PCI_DSS: 2.2.4}. File: /etc/ssh/sshd_config. Reference: 9 .
  • What another PCI DSS requirements monitoring OSSEC?
  • And what the Reference: 9 and Hardening - 9:? What it mean? It's a same aka numeric?

Where I can get information about it and what I need to know? What I must have need to know?
I need some share experience, some advice if you can 🙂

0 Karma
Get Updates on the Splunk Community!

Edge Processor | New Resiliency Improvements & Support for Additional Data Sources

We are excited to announce several exciting updates for Edge Processor aimed at hardening overall product ...

Splunk Certification Support Alert | Pearson VUE Outage

Splunk Certification holders and candidates!  Please be advised of an upcoming system maintenance period for ...

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...