[prev in list] [next in list] [prev in thread] [next in thread]
List: ossec-list
Subject: Re: [ossec-list] OSSEC log analysis vs sending logs directly to OSSIM
From: Eponymous - <the.epon () gmail ! com>
Date: 2016-09-22 16:58:18
Message-ID: 363b3883-399a-4051-957e-cdc13516cfd9 () googlegroups ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Thanks for your response Santiago!
So the target system is actually a pfSense router (FreeBSD 10.3 based) and
the main problem I have is that the logs are not in plaintext format - they
use a "clog" format instead which OSSEC can't read. The only workaround at
the moment is to run a local Syslog server on the router and log everything
to localhost to get the logs in plaintext - I hate the idea of this really
> )
However, I do have the option of sending the logs via Syslog to the OSSIM
server directly but this bypasses OSSEC.
Your point about encryption and authentication is a good one but this won't
be an issue for me as the link between the OSSIM server and OSSEC client is
a physically separate, cabled interface used only for that purpose. I also
don't need e-mail notifications or active response.
That being said, do I still lose something by *not *sending the logs to the
OSSEC client first? In particular you mentioned: "detecting possible
security issues, misconfigurations, errors". Are you saying that OSSIM is
unable to give me the same functionality when sending the logs from the
client directly to the server via Syslog?
Is is still worth the effort setting up the local Syslog workaround I
mentioned above to be able to have the OSSEC client parse the local logs?
I appreciate your continued help.
On Wednesday, September 21, 2016 at 11:58:24 PM UTC+1, Santiago Bassett
wrote:
>
> Hi,
>
> I would advice to use OSSEC agents to collect system logs data, since you
> already have it there doing FIM and anomalies detection anyway. Also
> communications are authenticated and encrypted (as opposed to default
> Syslog).
>
> Other advantage is that you pre-process them through OSSEC decoders and
> rules (before it gets to OSSIM
> correlation engine), detecting possible security issues,
> misconfigurations, errors,.... As well you can trigger automatic emails and
> use active responses (if you need them).
>
> On the other hand, I don't see a lot of value in processing Snort logs
> through OSSEC (unless you want to use active-responses or use CDBs for
> white/black listing). I would advice to send them directly to OSSIM and
> enable snort-syslog plugin (unless you decide to use embedded Suricata).
>
> I hope that helps,
>
> Santiago.
>
> On Wed, Sep 21, 2016 at 2:13 PM, Eponymous - <the....@gmail.com
> <javascript:>> wrote:
>
> > Hi,
> >
> > I'm new to OSSEC and also OSSIM and I've just set up a very simple
> > topology.
> >
> > I've got OSSIM on one machine and a single FreeBSD based machine running
> > OSSEC and Snort. I've added the agent in the Agents tab and I can see it
> > connects fine.
> >
> > I see OSSIM and OSSEC working together to schedule and run rootkit checks
> > and syschecks, but I also know that OSSEC can parse the system logs and
> > Snort logs looking for security issues. Currently, the OSSEC configuration
> > is not set up to look at logs and other than manually editing the
> > agent.conf I can't see any way to enable this functionality from OSSIM (I'm
> > using the agent.conf deployment feature).
> >
> > My question is:
> >
> > Should the OSSEC agent be parsing the system logs and Snort logs and then
> > send relevant data to the OSSIM server or should I set it up to send my
> > logs directly to the OSSIM server using Syslog, bypassing the OSSEC agent
> > all together?
> >
> > In each case what are the advantages and disadvantages?
> >
> > In my setup it would be the most simple for the OSSEC agent to handle
> > rootkit checking and syschecking only, with the system logs and Snort logs
> > being sent directly to the OSSIM server using Syslog.
> >
> > Thanks in advance.
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send an
> > email to ossec-list+...@googlegroups.com <javascript:>.
> > For more options, visit https://groups.google.com/d/optout.
> >
>
>
--
---
You received this message because you are subscribed to the Google Groups \
"ossec-list" group. To unsubscribe from this group and stop receiving emails from it, \
send an email to ossec-list+unsubscribe@googlegroups.com. For more options, visit \
https://groups.google.com/d/optout.
[Attachment #5 (text/html)]
<div dir="ltr">Thanks for your response Santiago!<div><br></div><div>So the target \
system is actually a pfSense router (FreeBSD 10.3 based) and the main problem I have \
is that the logs are not in plaintext format - they use a "clog" format \
instead which OSSEC can't read. The only workaround at the moment is to run a \
local Syslog server on the router and log everything to localhost to get the logs in \
plaintext - I hate the idea of this really :)</div><div><br></div><div>However, I do \
have the option of sending the logs via Syslog to the OSSIM server directly but this \
bypasses OSSEC. </div><div><br></div><div>Your point about encryption and \
authentication is a good one but this won't be an issue for me as the link \
between the OSSIM server and OSSEC client is a physically separate, cabled interface \
used only for that purpose. I also don't need e-mail notifications or active \
response.</div><div><br></div><div>That being said, do I still lose something by \
<i>not </i>sending the logs to the OSSEC client first? In particular you mentioned: \
"detecting possible security issues, misconfigurations, errors". Are you \
saying that OSSIM is unable to give me the same functionality when sending the logs \
from the client directly to the server via Syslog?</div><div><br></div><div>Is is \
still worth the effort setting up the local Syslog workaround I mentioned above to be \
able to have the OSSEC client parse the local logs?</div><div><br></div><div>I \
appreciate your continued help.</div><div><br></div><div><br><br>On Wednesday, \
September 21, 2016 at 11:58:24 PM UTC+1, Santiago Bassett wrote:<blockquote \
class="gmail_quote" style="margin: 0;margin-left: 0.8ex;border-left: 1px #ccc \
solid;padding-left: 1ex;"><div dir="ltr">Hi,<div><br></div><div>I would advice to use \
OSSEC agents to collect system logs data, since you already have it there doing FIM \
and anomalies detection anyway. Also communications are authenticated and encrypted \
(as opposed to default Syslog). </div><div><br></div><div>Other advantage is that \
you pre-process them through OSSEC decoders and rules (before it gets to OSSIM \
</div><div>correlation engine), detecting possible security issues, \
misconfigurations, errors,.... As well you can trigger automatic emails and use \
active responses (if you need them).</div><div><br></div><div>On the other hand, I \
don't see a lot of value in processing Snort logs through OSSEC (unless you want \
to use active-responses or use CDBs for white/black listing). I would advice to send \
them directly to OSSIM and enable snort-syslog plugin (unless you decide to use \
embedded Suricata).</div><div><br></div><div>I hope that \
helps,</div><div><br></div><div>Santiago.</div></div><div><br><div \
class="gmail_quote">On Wed, Sep 21, 2016 at 2:13 PM, Eponymous - <span \
dir="ltr"><<a href="javascript:" target="_blank" \
gdf-obfuscated-mailto="3IG5hGkzCQAJ" rel="nofollow" \
onmousedown="this.href='javascript:';return true;" \
onclick="this.href='javascript:';return \
true;">the....@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" \
style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div \
dir="ltr"><div>Hi,</div><div><br></div><div>I'm new to OSSEC and also OSSIM and \
I've just set up a very simple topology.</div><div><br></div><div>I've got \
OSSIM on one machine and a single FreeBSD based machine running OSSEC and Snort. \
I've added the agent in the Agents tab and I can see it connects \
fine.</div><div><br></div><div>I see OSSIM and OSSEC working together to schedule and \
run rootkit checks and syschecks, but I also know that OSSEC can parse the system \
logs and Snort logs looking for security issues. Currently, the OSSEC configuration \
is not set up to look at logs and other than manually editing the agent.conf I \
can't see any way to enable this functionality from OSSIM (I'm using the \
agent.conf deployment feature).</div><div><br></div><div>My question \
is:</div><div><br></div><div>Should the OSSEC agent be parsing the system logs and \
Snort logs and then send relevant data to the OSSIM server or should I set it up to \
send my logs directly to the OSSIM server using Syslog, bypassing the OSSEC agent all \
together?</div><div><br></div><div>In each case what are the advantages and \
disadvantages? </div><div><br></div><div>In my setup it would be the most simple for \
the OSSEC agent to handle rootkit checking and syschecking only, with the system logs \
and Snort logs being sent directly to the OSSIM server using \
Syslog.</div><div><br></div><div>Thanks in advance.</div></div><span><font \
color="#888888">
<p></p>
-- <br>
<br>
--- <br>
You received this message because you are subscribed to the Google Groups \
"ossec-list" group.<br> To unsubscribe from this group and stop receiving \
emails from it, send an email to <a href="javascript:" target="_blank" \
gdf-obfuscated-mailto="3IG5hGkzCQAJ" rel="nofollow" \
onmousedown="this.href='javascript:';return true;" \
onclick="this.href='javascript:';return \
true;">ossec-list+...@<wbr>googlegroups.com</a>.<br> For more options, visit <a \
href="https://groups.google.com/d/optout" target="_blank" rel="nofollow" \
onmousedown="this.href='https://groups.google.com/d/optout';return true;" \
onclick="this.href='https://groups.google.com/d/optout';return \
true;">https://groups.google.com/d/<wbr>optout</a>.<br> \
</font></span></blockquote></div><br></div> </blockquote></div></div>
<p></p>
-- <br />
<br />
--- <br />
You received this message because you are subscribed to the Google Groups \
"ossec-list" group.<br /> To unsubscribe from this group and stop receiving \
emails from it, send an email to <a \
href="mailto:ossec-list+unsubscribe@googlegroups.com">ossec-list+unsubscribe@googlegroups.com</a>.<br \
/> For more options, visit <a \
href="https://groups.google.com/d/optout">https://groups.google.com/d/optout</a>.<br \
/>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic