Splunk + OSSEC Integration

Leave a Comment / By /

The status of the next version of the OSSEC web interface is one of the more commonly asked questions on the mailing list and is currently #2 on the community requested feature list (http://ossec.uservoice.com).

While web interfaces are nice to have, many of us suffer from information island overload by having dedicated web interfaces for each application. This is why I was stoked when the syslog ouput feature was announced last summer (http://www.ossec.net/dcid/?p=139) and officially added in version 1.6. Now I can incorporate OSSEC alerts into my SIM/SIEM or log management tool of choice, which not only eliminates the need for a dedicated OSSEC web interface but also allows for simplified incident analysis through aggregation and correlation.

In my environment, we chose Splunk based on its quick search and endless customization. Getting OSSEC alerts into Splunk is a breeze. Just grab the free license version of Splunk, install the Splunk for OSSEC app, and point the OSSEC syslog output to your Splunk server. BAM! Instant wui 0.4.

The Splunk-for-OSSEC application is a community project that was started by myself and Elazar Broad. The initial goal of this application was to provide the same set of reports that can be obtained through ossec-reportd. From there we’ve also added several other useful features:

  1. Top rules last 24 hrs
  2. Top source IP last 24 hrs
  3. Top user last 24 hrs
  4. Bruteforce top source IP last 24 hrs
  5. OSSEC rules for last hour
  6. OSSEC alert levels for last 24 hrs
  7. IP Geolocation lookups
  8. whois lookups
  9. rDNS lookups
  10. web attack and bruteforce tags.

OSSEC and Splunk configuration instructions

More details at the ossec wiki.

  1. Inside ossec.conf add a syslog_output block specifying your Splunk system IP address and the port it is listening on:

<syslog_output>
<server>172.10.2.3</server>
<port>10002</port>
</syslog_output>

  1. Now you need to enable the syslog_output module and restart OSSEC:

#/var/ossec/bin/ossec-control enable client-syslog
#/var/ossec/bin/ossec-control restart

  1. On the Splunk side, add this stanza to inputs.conf:

$SPLUNK_HOME/etc/system/local/inputs.conf

[udp://172.10.2.4:10002] #IP address of OSSEC server
disabled = false
sourcetype = ossec

By setting the sourcetype as OSSEC you’re ready to take advantage of the Splunk for OSSEC app which can be found here: http://www.splunkbase.com/apps/All/Security/app:Splunk+for+OSSEC.

  1. Make sure you update any local or network firewalls that this communication is traversing and then restart Splunk.

# $SPLUNK_HOME/bin/splunk restart

Splunk:
http://www.splunk.com/download

Splunk-for-OSSEC:
http://www.splunkbase.com/apps/All/Security/app:Splunk+for+OSSEC#

Leave a Comment

Your email address will not be published. Required fields are marked *

CAPTCHA * Time limit is exhausted. Please reload the CAPTCHA.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to Top