Hi.
I'm trying this:
Splunk Add-on for OSSEC
Reporting and Management for OSSEC
Some logs not parsing property and the log structure itself that parsed have many duplicates information in fields.
I mean these logs do not give me super results for monitoring and to be trust in 80% i can get more useful information from raw data than with the processed add-on.
And it seems to me that I need somehow reconfigure OSSEC conf.
(but I'm not found any information, off splunk docs have little information about it)
My question: if u can, give me more information about OSSEC & Splunk Integration, some blogs, other implementations. tricks to better monitor by OSSEC.
Thanks!
I can send screenshots if you will request it.
I am not did it before, coz there are many confidential information and i was lazy to paint it 😞
Hi,
Can you give some details/examples on "logs not getting parsed properly" ? We have the same combination you mentioned and so far it has served well. The app "Reporting and Management for OSSEC" has some transforms/field extractions which we need for custom dashboards, whereas "Splunk add-on for OSSEC" does a good job for CIM compatibility of OSSEC data, so we use both in different capacity.
Thanks,
~ Abhi
Abhi
Are you passing in the same data twice once via
"Splunk Add-on for OSSEC" and also via "Reporting and Management for OSSEC"
Do you feed the same data into splunk twice ?
Once into the ossec event type via syslog and the "Splunk Add-on for OSSEC"
and then a second time via "Reporting and Management for OSSEC"
For example№3 log that not parsed:
Jan 4 14:56:14 172.16.9.25 Jan 4 14:55:22 %host_name% ossec: Alert Level: 7; Rule: 2932 - New Yum package installed.; Location: %host_name%->/var/log/messages; classification: syslog,yum,config_changed,; Jan 4 14:55:21 srv25sec yum[23540]: Installed: kernel-3.10.0-693.11.1.el7.x86_64
This part not parsed in field
Installed: kernel-3.10.0-693.11.1.el7.x86_64
Bump! Up!
Have you had any success ?
I'm experiencing a similar issue using "Splunk Add-on for OSSEC"
events are received by splunk and some fields are extracted to the CIM but fields like the
src and src_user are not.
This causes a number of alerts/ dashboards to report the in Splunk ES to report the system and the as unknown.
Also, did u use format log - splunk? it's not helped me, but change a little parsing of logs.
<syslog_output>
<server>10.0.0.1</server>
<port>514</port>
<format>splunk</format>
</syslog_output>
U can use: default
, cef
, splunk
, json
For example№2 log that not parsed:
classification: syslog,attacks,; srcip: %ip% user: - ; 2017 Dec 07 13:03:16 WinEvtLog: Security: AUDIT_SUCCESS(4624): Microsoft-Windows-Security-Auditing: %username% %dns_name% %host_name% An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 New Logon: Security ID: S-1-5-21-1877622112-2052110481-2879200121-1111 Account Name: %username% Account Domain: %dns_name% Logon ID: 0x9b1473a Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: NIZHYN Source Network Address: %ip% Source Port: 50149 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed.
It's field body
and there is useful information like %username%,
Microsoft-Windows-Security-Auditing: %username%
but it not parsed in fields.
I need some times for it 🙂
Anyway, can you help with understanding some OSSEC logs as:
How to see all possible signatures?
Coz, I can only by stats count by signature
and it's not okay
Where can I get information about Alert level
?
https://ossec-docs.readthedocs.io/en/latest/manual/rules-decoders/rule-levels.html it is?
For example№1 log that not parsed:
Jan 6 05:27:24 172.16.9.25 Jan 6 05:27:00 %hostname% ossec: Alert Level: 3; Rule: 516 - System Audit event.; Location: (%hostname%) %ip%->rootcheck; classification: ossec,rootcheck,; System Audit: SSH Hardening - 9: Wrong Maximum number of authentication attempts {PCI_DSS: 2.2.4}. File: /etc/ssh/sshd_config. Reference: 9 .
PCI DSS requirements
monitoring OSSEC?Reference: 9
and Hardening - 9:
? What it mean? It's a same aka numeric?Where I can get information about it and what I need to know? What I must have
need to know?
I need some share experience, some advice if you can 🙂