OSSEC Log Mangement With Elasticsearch

8/10/2019 OSSEC Log Mangement With Elasticsearch

1/24

1

Vic Hargrave | [email protected] | @vichargrave

OSSEC Log Management with Elasticsearch


2/24

$ whoami

2

Software Architect for Tren Micro !ata Anal"tics #ro%

&logger for Tren Micro Secrit" 'ntelligence an Sim%l"Secrit"

Email( [email protected]

)e*site( vichargrave.com Twitter( @vichargrave

Lin+e'n( www.lin+ein.com,in,vichargrave


3/24

OSSEC oes S'EMs

3

commercial or

open source

SIEM

Syslog

Syslog

Syslog

syslog


4/24

4

Commercial S'EMs are great- *t

=+commercial

SIEM


5/24

5

/ow there0s a whole new1o%en2sorce3 *allgame

Logstash Kibana


6/24

OSSEC Log Management with Elasticsearch


7/24

Elasticsearch

O%en sorce- istri*te- fll te4t search engine

&ase on A%ache Lcene

Stores ata as strctre 5SO/ ocments

S%%orts single s"stem or mlti2noe clsters

Eas" to set % an scale 6 7st a more noes

8rovies a 9ESTfl A8'

'nstalls with 98M or !E& %ac+ages an is controllewith a service scri%t.

!


8/24

Elasticseach Elements

'ne4 6 contains ocments- table

!ocment 6 contains fiels- row

:iel 6 contains string- integer- 5SO/ o*7ect- etc.

Shar 6 smaller ivisions of ata that can *e store

across noes 9e%lica 6 co%" of the %rimar" shar

"


9/24

Elasticsearch Mlti2noe Configration

#

# default configuration file - /etc/elasticsearch/elasticsearch.yml

######################### Cluster #########################

# Cluster name identifies your cluster for auto-discovery#cluster.name:ossec-mgmt-cluster

########################## Node ###########################

# Node names are generated dynamically on startup, so you're relieved# from configuring them manually. You can tie this node to a specific name:#node.name:"es-node-" # e.g. !lasticsearch nodes numered N

########################## $aths ##########################

# $ath to directory %here to store inde& data allocated for this node.#path.data:/data/, /data/


10/24

Logstash

Log aggregator an %arser

S%%orts transferring %arse ata irectl" toElasticsearch

Controlle *" a configration file that s%ecifies in%t-filtering 1%arsing3 an ot%t

;e" to aa%ting Elasticsearch to other log formats

9n logstash in logstash home irector" as follows(

in/logstash conf (logstash config file)

1$


11/24

11

input *# stdin*+ udp * port ) type ) "syslog" ++filter * if type0 "syslog" * gro1 *

# 2!! N!34 2567! + mutate * remove8field ) "syslog8hostname", "syslog8message", "syslog8pid", "message", "9version", "type", "host" 0 + ++

output *# stdout *# codec ) ruydeug# + elasticsearch8http * host ) "..." ++

OSSEC 6 logstash.conf


12/24

OSSEC Alert 8arsing

OSSEC s"slog alert

gro+ < =

12

an ; :


13/24

;i*ana

#eneral %r%ose >er" ?'

5avascri%t im%lementation

er" Elasticsearch withot coing

'ncles man" wigets

9n ;i*ana in *rowser as follows(

http://(%e server ip):(port)/(1iana path)

13


14/24

;i*ana 6 config.7s

14

/MM 9scratch /configuration/config.s/A M elasticsearch M M 4he E@5 to your elasticsearch server. You almost certainly don't M %ant Ohttp://localhost:BO here. !ven if Piana and !lasticsearchM are on the same host. Qy default this %ill attempt to reach !2 at theM same host you have 1iana installed on. You proaly %ant to set it toM the RS7N of your elasticsearch host

M/elasticsearch: http://O"(elasticsearch node 6$)"O":B",


15/24

15


16/24

1


17/24

Elasticsearch Clster Management

1!

ElasticH

Elasticsearch %lg2in

'nstall from Elasticsearch home irector"(

in/plugin -install royrusso/elasticsearch-IS

8rovies clster an noe management metrics ancontrols


18/24

1"


19/24

1#


20/24

2$

And now forsomethingcompletely dierent.

The OSSEC virtualappliance


21/24

21

&ac+ to 9ealit"

Free


22/24

!esigne to wor+ in a trste environment

/o *ilt in secrit"

Eas" to erase all the ata

?se with a %ro4" that %rovies athentication anre>est filtering sch as /gin4 htt%(,,wi+i.ngin4.org,Main

Elasticsearch Secrit" Caveats

22

curl 37!5!4! http://(server):B/8all
http://wiki.nginx.org/Mainhttp://wiki.nginx.org/Mainhttp://wiki.nginx.org/Mainhttp://wiki.nginx.org/Main


23/24

:rther 'nformation

Elasticsearch htt%(,,www.elasticsearch.org

Logstash htt%(,,logstash.net

;i*ana htt%(,,www.elasticsearch.org,overview,+i*ana,

ElasticH htt%(,,elastich>.org

Elasticsearch for Logging htt%(,,vichargrave.com,ossec2log2management2with2elasticsearch,

htt%(,,egeofsanit".net,article,B,,D,elasticsearch2for2logging.html

23
http://www.elasticsearch.org/http://logstash.net/http://www.elasticsearch.org/overview/kibana/http://elastichq.org/http://vichargrave.com/ossec-log-management-with-elasticsearch/http://edgeofsanity.net/article/2012/12/26/elasticsearch-for-logging.htmlhttp://edgeofsanity.net/article/2012/12/26/elasticsearch-for-logging.htmlhttp://edgeofsanity.net/article/2012/12/26/elasticsearch-for-logging.htmlhttp://vichargrave.com/ossec-log-management-with-elasticsearch/http://vichargrave.com/ossec-log-management-with-elasticsearch/http://vichargrave.com/ossec-log-management-with-elasticsearch/http://elastichq.org/http://www.elasticsearch.org/overview/kibana/http://www.elasticsearch.org/overview/kibana/http://logstash.net/http://www.elasticsearch.org/


24/24

Than+s for attening

24

An" >estionsF

OSSEC Log Mangement With Elasticsearch

Documents

Transcript of OSSEC Log Mangement With Elasticsearch