Refine your search:

Splunk for OSSEC - Splunk v4 version

2

Thanks For Downloading!

Review the documentation below and follow any custom installation steps. If no install steps are listed, most Splunk Apps and Add-ons can be installed as follows:

Windows: Decompress the downloaded file using a tool like 7-Zip and place the resulting folder into %PROGRAMFILES%\Splunk\etc\apps. Then restart Splunk using the splunk restart command or the GUI.

Unix/Linux: Decompress the downloaded file using a tool like tar -xvf and place the resulting folder into $SPLUNK_HOME/etc/apps. Then restart Splunk using the splunk restart command or the GUI.

Description

This package contains parsing logic, saved searches, and dashboards for monitoring the OSSEC Host-based Intrusion Detection System via Splunk. Support for managing agent keys via is also provided.

Please read the Installation section - the app WILL NOT WORK without configuration.

Overview

This package contains parsing logic, saved searches, and dashboards for monitoring the OSSEC Host-based Intrusion Detection System via Splunk.

Please read the Installation section below - the app will not work correctly without configuration.

Some functionality, primarily agent management, is not currently supported when Splunk is running on Windows.

Installation

To install, extract the .tgz archive in $SPLUNK_HOME/etc/apps

You may need to enable the appropriate inputs, either via inputs.conf, or through the Manager in the Splunk GUI.

The application maintains a list of all known OSSEC servers in a lookup table. When you first install, this list will be empty except for a wildcard ntry. You can wait until it is populated automatically, or run OSSEC - Rebuild OSSEC Server Lookup Table from the Searches & Reports -> Utility menu.

Upgrading

This version introduces a number of changes, particularly from version 1.0 (see the CHANGES file). The recommended procedure is to remove the old app before installing. Installing over top of older versions should (mostly) work, but may cause some problems.

Data Inputs

Sample input declarations are included with the application, but are disabled by default. These may be enabled either in inputs.conf, or via the Manager.

Several data input methods are available:

  1. Native syslog daemon, writing to flat files which are indexed by Splunk.
  2. Syslog-style input directly to Splunk
  3. Direct monitoring of OSSEC alert logs. Typically requires Splunk to be installed on the OSSEC server.
  4. Scripted input to periodically check the status of OSSEC agents by running ossec_agent_control -l, either locally or on a remote system.

For options (1) and (2), set the sourcetype to 'ossec'.
For option (3), set the sourcetype to 'ossec_alerts'.
For option (4), set the sourcetype to 'ossec_agent_control'.

Collection of OSSEC agent Operational Status:

To collect OSSEC agent status, you will need to be able run the agent_control command without a password.

For local OSSEC servers using the default path, this is configured by default. For non-standard install paths, you will need to edit ossec_servers.conf.

For remote execution, see below.

Managing Agent Keys from Splunk

To enable key management, you will need to be able to run the manage_agents command without a password. You will also need to be a member of either the Splunk Admin role or the OSSEC Admin role.

This feature is not enabled by default for security reasons. You can enable it by editing ossec_servers.conf.

For remote execution, see below.

Enabling Remote Execution

For remote agent status collection and remote management, you can use SSH and sudo to avoid password prompts.

The Splunk service account (root by default) will need to be able to log into the OSSEC server as a user with permissions to run the following commands without being prompted for a password:
agent_control -l
manage_agents

For more detailed instructions, consult Splunk Answers:
http://splunk-base.splunk.com/answers/42717/how-do-i-enable-remote-agent-management-in-splunk-for-ossec

Agent Coverage Tracking

At present, the agent coverage dashboard currently relies on agent status information from the agent_control command (see above). A Splunk Enterprise license is needed for the scheduled searches.

To use agent coverage tracking, you must populate a lookup table that tracks all hosts that should be monitored by OSSEC. By default, all hosts seen by Splunk in the last 30 days will be expected.

Edit the saved search OSSEC - Track Expected Hosts to configure your own list. For example, all servers or all members of a particular LDAP container.

Malware Alerting

Alerting on malware file hashes only works when Splunk is directly monitoring the ossec alerts log (Syslog-based logging does not include the hashes).

If you are using this method, you can configure your email address and enable the alert from the Manager.

The MD5 and SHA1 file hashes will be sent to a third party (Team Cymru) for validation.

No guarantees of accuracy are provided.

3rd-Party Components / Disclaimers

This app includes third-party components and/or interfaces with third-party services. See the 3rdparty directory for details.

OSSEC is a product of Daniel Cid and Trend Micro. The app author is not afilliated with Trend Micro.

Splunk for OSSEC neither supported nor endorsed by Trend Micro or the OSSEC developers. The author makes no warranties or
guarantees of any kind. Use is at your own risk.

Versions and Release Notes

Version 1.1.89 (current version - updated Mar 13, 2012)
release notes:
Version 1.1.89 --------------------------------------- - Fixed a bug in ossec_agent_status that could prevent agent status polling from working correctly in certain configurations. - Increased timeout on agent status polling from 5 to 30 seconds - Updated rule group lookup table with rules from latest OSSEC build on BitBucket. - Removed unused Intersplunk dependency from pyOSSEC to ease command-line testing.
show older versions »
Version 1.1.88 (updated Jun 17, 2011)
release notes:
Version 1.1.88 --------------------------------------- - Added indexing of ossec.log file when Splunk is installed on the OSSEC server. - Added saved search to re-initialize ossec server lookup table - Bugfixes / parsing improvements when working with local alerts file (when Splunk is installed directly on the OSSEC server) - Improved suppression of Windows event explanatory text when working with local alerts file (Splunk installed directly on OSSEC server)
Version 1.1.85 (updated Jun 12, 2011)
release notes:
Version 1.1.85 --------------------------------------- - Re-scoped Navigation menu to avoid clobbering menus in other app views. - Updated rule group lookup table with rules from OSSEC 2.6 beta - Modified rule group lookup generating script to accept rules directory as a parameter - Added indexing of Active Response logs when Splunk is installed on the OSSEC server - Fixed an issue in the Agent Management view that could cause the list of managed servers to appear empty. - Removed local.meta file that had accidentally slipped into the distribution. - Corrected CSS formatting in Agent Coverage view.
Version 1.1.85 (updated Jun 12, 2011)
release notes:
Version 1.1.85 --------------------------------------- - Re-scoped Navigation menu to avoid clobbering menus in other app views. - Updated rule group lookup table with rules from OSSEC 2.6 beta - Modified rule group lookup generating script to accept rules directory as a parameter - Added indexing of Active Response logs when Splunk is installed on the OSSEC server - Fixed an issue in the Agent Management view that could cause the list of managed servers to appear empty. - Removed local.meta file that had accidentally slipped into the distribution. - Corrected CSS formatting in Agent Coverage view.
Version 1.1.84 (updated Apr 05, 2011)
release notes:
Version 1.1.84 --------------------------------------- - Corrected stats calculation for Top 10 views - Added triggers entry in app.conf - Resolved a display error affecting File Integrity view with Splunk 4.2 - Added workflow action for VirusTotal hash lookups - Minor bugfixes
Version 1.1.81 (updated Feb 23, 2011)
release notes:
Version 1.1.81 --------------------------------------- - Fixed cron_schedule entry for lookup table generating search - Fixed startup warnings for Splunk 4.2
Version 1.1.80 (updated Feb 17, 2011)
release notes:
Version 1.1.80 --------------------------------------- - Improved error reporting in ossec_agent_status script.
Version 1.1.79 (updated Dec 15, 2010)
release notes:
Version 1.1.79 --------------------------------------- - Stripped out explanatory text on Microsoft-Windows-Security-Auditing events ("This event is generated when...") - Extracted EventCode, LogName, SourceName, and Type for Windows events
Version 1.1.77 (updated Oct 11, 2010)
release notes:
Version 1.1.77 --------------------------------------- - Added Event Renderer for high-severity events (modify the eventtype to tune threshold) - Better handling of agent management connection errors - Increased default timeouts on agent connection
Version 1.1.75 (updated Oct 07, 2010)
release notes:
Version 1.1.75 --------------------------------------- - Updated rule group lookup table to match OSSEC 2.5 ruleset - Increased results shown on agent management dashboard from 10 to 15 - Modified Event Search view to better handle events with no ossec_group. - Fixed issue with ossec_group field extraction when using ossec-alerts sourcetype. - Removed extra divider from Utilities nav menu - pyOSSEC cleanup and fixes: - Implemented support for disabling configuration stanzas - Normalized whitespace
Version 1.0.26 (updated Mar 01, 2010)

posted 01 Mar '10, 16:30

southeringtonp's gravatar image

southeringtonp ♦
4.5k1215
accept rate: 35%

new version 13 Mar, 18:25

4 Reviews:
0 ratings
oldestnewest

Appears to be an abandoned app as the author/maintainer no longer responds to issues. Was a great idea and I hope someone will pick it up or create another app to bring OSSEC data into Splunk.

comments (1)

reviewed 10 Jan, 06:52

phswartz's gravatar image

phswartz
11
accept rate: 0%

It is not abandoned, but I don't always notice if a question comes through Splunkbase. I'll respond to your other two posts separately.

(08 Feb, 08:37) southeringtonp ♦

Not sure if this is something I'm doing wrong, or just an oversight in the alert... but it seems that the "High-Severity Alert" saved search appears to be triggering on "INFO" messages as well. I have messages such as the following in our logs that are triggering the alert:

2011/07/01 12:47:50 ossec-syscheckd: INFO: Starting syscheck scan.

Just adding " NOT severity=INFO" to it seems to clear it up.

Thanks.

comments (0)

reviewed 01 Jul '11, 13:37

tmeader's gravatar image

tmeader
710111
accept rate: 12%

One more thing: For this to work on solaris 10, I had to set a link in usr/bin named "sudo", that points to our beloved "su" -> After that it worked fine. Cheers, Wolf

comments (0)

reviewed 30 May '11, 05:32

clownmachine's gravatar image

clownmachine
1
accept rate: 0%

Hi, just wanted to add my calculated hashes, since I couldn't find them anywhere (and it's always the first thing I look for): ossec-1.1.84.tgz sha1: bcf62f9335985c078a3096e34a5060aab92ae055bcf62f9335985c078a3096e34a5060aab92ae055 md5: 03d02bffc8125cdde254aae6155f03f803d02bffc8125cdde254aae6155f03f8

It worked, so I'm assuming, that the download was complete and uncorrupted. Cheers and thanks for all the fish, Wolf

comments (0)

reviewed 30 May '11, 04:53

clownmachine's gravatar image

clownmachine
1
accept rate: 0%

Your review

Did you find this app useful?

Preview toggle preview

Copyright © 2005-2012 Splunk, Inc. All rights reserved.