I have configured OSSEC to forward alert events in CEF format to a CEF UDP
Graylog input on port 2514.
OSSEC Server and Graylog are on the same host (SIEMonster Capricorn).
In /var/ossec/etc/ossec.conf:
<ossec_config>
...
<syslog_output>
<server>127.0.0.1</server>
<port>2514</port>
<format>cef</format>
</syslog_output>
...
</ossec_config>
Enable ossec-syslog output:
$ sudo /var/ossec/bin/ossec-control enable client-syslog
$ sudo /var/ossec/bin/ossec-control restart
I have copied the Graylog CEF plugin 'graylog-plugin-input-cef-1.1.0.jar'
to /opt/graylog/plugin and restarted the graylog-server:
$ sudo graylog-ctl restart graylog-server
Added Gray CEF UDP source on port 2514 and started the input.
$ sudo netstat -anulp | grep :2514
udp 0 0 127.0.0.1:38141 127.0.0.1:2514
ESTABLISHED 7268/ossec-csyslogd
udp6 0 0 127.0.0.1:2514 :::*
6914/java
And if I dump udp traffic from the localhost interface, I can see the OSSEC
events going through (one [sanitized parts in red] event is reproduced
below):
$ sudo tcpdump -i lo -vvv -nn -p -A udp and port 2514
17:55:59.164877 IP (tos 0x0, ttl 64, id 55173, offset 0, flags [DF], proto
UDP (17), length 736)
127.0.0.1.38141 > 127.0.0.1.2514: [bad udp cksum 0x00e0 -> 0x1d26!]
UDP, length 708
E.....@[email protected]........... .....<132>Sep 9 17:55:56 CEF:0|Trend Micro
Inc.|OSSEC HIDS|v2.8|181042|Windows - The handle to an object was
closed.|1|dvc=capricorn cs2=(System_Name) 192.168.XXX.XXX->WinEvtLog
cs2Label=Location classification= windows,pci_dss_10.6.1, msg=2016 Sep 09
17:55:52 WinEvtLog: Security: AUDIT_SUCCESS(4658):
Microsoft-Windows-Security-Auditing: (no user): no domain: Desktop: The
handle to an object was closed. Subject : Security ID: <User SID>
Account Name: <Account_Name> Account Domain: <domain> Logon ID: 0x
XXXXX Object: Object Server: Security Handle ID: 0xXXXX Process
Information: Process ID: 0xXXXX Process Name: <Process_Name>
So far so good, except that nothing comes out of the newly defined Graylog
CEF UDP Input in Graylog.
Search for gl2_source_input:57d2d1fbe709291b021101d5 yields zero results.
The events do not seem to be parsed correctly by the plugin:
org.graylog.plugins.cef.codec.CEFCodec.57d2d1fbe709291b021101d5.failures
<http://192.168.16.20:8080/system/metrics/node/c4d55199-ef80-4344-8fdf-5affbd00ed27?filter=57d2d1fbe709291b021101d5#>
MeterTotal:1,238 eventsMean:0.09 events/second1 minute avg:0.03
events/second5 minute avg:0.11 events/second15 minute avg:0.12 events/second
Have I stumbled on a bug, or did I miss any steps to get the CEF UDP plugin
to work with OSSEC CEF output?
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/7626aeca-2c18-4b1a-9db8-0c8fd921eed7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
