OSSEC Log Analysis

OSSEC is a powerful open source log analysis engine. It was founded by one of members of our team, so we know and love OSSEC quite a bit. The major drawback of the open source OSSEC is the lack of a web interface to make it easy to index and search the alerts in real time. With Trunc, you can see and query your OSSEC alerts - up to hundreds of GB in logs, immediatly.

OSSEC to Trunc

The easiest way to send your OSSEC alerts to Trunc is via syslog. Both the OSSEC manager and the OSSEC local installation have something called the client-syslog to allow you to forward the alerts to a central log server.

To get started, first go to your terminal and run this command:

/var/ossec/bin/ossec-control enable client-syslog

It will tell OSSEC to start the ossec-csyslogd to send the alerts externally. After that, open the OSSEC config file (often at /var/ossec/etc/ossec.conf) and add the following:



$ sudo vi /var/ossec/etc/ossec.conf
<syslog_output> <server>SYSLOGSERVER</server> <port>SYSLOGPORT</port> </syslog_output>

But you will replace SYSLOGSERVER and SYSLOGPORT for the syslog server and port assigned to your account (you can see it here). Once that configuration is added, just restart OSSEC and you should be good to go:



$ sudo /var/ossec/bin/ossec-control restart



Note that you also need to add your OSSEC manager IP address to our dashboard as authorized to send syslog events.



Posted in   ossec   ossec-logs   log-analysis     by Tony Perez (@perezbox)

Simple, affordable, log management and analysis.