OSSEC

OSSEC is a powerful Host Intrusion Detection System (HIDS) platform with an exceptional log analysis engine. It was founded by Daniel, one of our Founders. To date, one of the platforms biggest drawbacks has always been the lack of a web interface. OSSEC users have always been forced to make use of the terminal, or one of the few enterprise GUI interfaces that have been released over the years.

The OSSEC Web Interface

The reality, however, is that what users really wanted was a simple, easy to use, platform that allowed them to easily view, parse and analyze the logs and alerts being generated by OSSEC. Trunc now solves this problem with a very easy to use GUI that focuses on three things: collection, analysis and retention. Now OSSEC users can easily aggregate all their logs into a very simple platform that focuses on those three components, removing the rest of the noise. Just focused on the logs.

Configure OSSEC with Trunc

Configuring OSSEC to communicate with Trunc is simple. You will make use of the client-syslog daemon. This daemon was designed to use the servers syslog capability and will forward all your alerts a central log platform.

There are four, possibly five steps, depending on your environment to getting configured your OSSEC deployment configured with Trunc:



  1. Enable OSSEC Syslog Daemon
  2. Update OSSEC Config
  3. Restart OSSEC
  4. Configure Trunc
  5. (Maybe): Update Server Firewall Rules

Step 1: Enable OSSEC Syslog Daemon

From your terminal enable the client-syslog daemon by running this command:

/var/ossec/bin/ossec-control enable client-syslog

This command will start the ossec-csyslogd daemon.

Step 2: Update OSSEC Config

Then, open the OSSEC config file (often at /var/ossec/etc/ossec.conf) and add the following:



$ sudo vim /var/ossec/etc/ossec.conf

You can add the following right after the initial <Global> entry:


<syslog_output>
      <server>SYSLOGSERVER</server>
      <port>SYSLOGPORT</port>
</syslog_output>

Replace SYSLOGSERVER and SYSLOGPORT for the syslog server and port assigned to your account (you can see it here).

Step 3: Restart OSSEC

After modifying the configuration file, restart OSSEC:


$ sudo /var/ossec/bin/ossec-control restart

You're looking for an output that shows the daemon has started successfully. Something like this:


# /var/ossec/bin/ossec-control status
ossec-monitord is running...
ossec-logcollector is running...
ossec-remoted is running...
ossec-syscheckd is running...
ossec-analysisd is running...
ossec-maild is running...
ossec-execd is running...
ossec-csyslogd is running...
ossec-integratord is running...

Step 4: Configure Trunc

Before Trunc knows what logs to collect, you must tell it where it is coming from. You do this via the Trunc dashboard, via Settings.



Trunc - SysLog Configuration Options

Add the IP in the input box where it says Add Server IP and be sure to click Allow Server.

Step 5 (Maybe): Update Server Firewall Rules

The last, possible, update will be to verify that you are allowing your server to communicate with the Trunc servers. Here is an example of what you might need to do in IPTables.



$ sudo iptables -I INPUT -p udp -d 207.148.18.158 -j ACCEPT
$ sudo iptables -I INPUT -p udp -s 207.148.18.158 -j ACCEPT



Posted in   ossec   ossec-configurations     by Tony Perez (@perezbox)

Simple, affordable, log management and analysis.

14 days free trial. No credit card required. Get started