Jul 21

Splunk + OSSEC

By linc Ossec, splunk No Comments »

splunk

splunk


I have just started working with splunk a little bit and one of the things I have tried is to hook it up to OSSEC. This, like most things these days, has proven to be interesting to say the least. Actually, it’s a very simple process, however, the documentation is abysmal at best and I spent hours pouring through different websites until I found the correct potion to get things actually working they way they are supposed to. I am documenting it here for future reference. I am currently running OSSEC v2.4.x and Splunk v4.1.4:

On splunk:

Install ossec module into splunk

splunk->manager->data inputs->udp->new
udp port – 10002
set host – ip
source type – manual
source type – ossec
save

Make sure 10002 is enabled

On OSSEC:

vim /var/ossec/etc/ossec.conf
add:
<syslog_output>
<server>172.25.3.3</server>
<port>10002</port>
</syslog_output>
under global config

/var/ossec/bin/ossec-control enable client-syslog

service ossec restart

You should now start getting ossec alerts to splunk…!

Mar 15

Ossec 2

By linc Ossec No Comments »


Yessiree Bob.
Ossec has released v2. Go and grab it now. One of the really exciting new features it’s supposed to have is clientless monitoring. I can’t wait to try that out!

Most of you know that I run Ossec on a *lot* of systems. Almost every box I run at home and at work has Ossec on it. What I can say about Ossec is it does the job as advertised. It’s simply put, the best intrusion detection system for opensource out there. Period. Any sysadmin worth his/her salt should be running this, if for nothing else, just so you can sleep at night :-)

Oct 21

Ossec insmod error

By linc Linux, Ossec, RedHat, Security No Comments »

Let me preface this by saying that if you are not running Ossec on at least your external facing machines, then you should be. It’s great software!

The reason this post is here is for reference mostly and maybe to be able to help someone out later via their favorite search engine.

I have been getting a couple errors reported lately through Ossec emails that report: “insmod: Hint: insmod errors can be caused by incorrect module parameters, including invalid IO or IRQ parameters. You may find more information in syslog or the output from dmesg”. Well, after checking, the actual error is found in /var/log/messages and is “floppy.o: init_module: No such device”. AHA! Well, it just so happens that these machines are servers *with no floppy*. The fix for this to turn off the errors seems to be to add “alias floppy off” in the /etc/modules.conf file and then run a “depmod -a”.

preload preload preload