RE: [ossec-list] RE: ossec for log analysis

[Max Williams]

Hi Muraleedaran,
Have you used syslog before? I am thinking not.....but that's OK ;)
Basically syslog-ng or any syslog daemon configured to receive syslog messages 
just takes log messages from hosts over the network and writes them to text log 
files on disk (or in a DB if you wish).

- If you wanted to see which user logged in to Router A then look or search in 
the log files on your syslog server for an entry regarding this information.

- If your Router A is configured to log all commands to syslog then again just 
look or search in the log files on your syslog server for an entry regarding 
this information.

It is not much more complicated than that and at this point has nothing to do 
with OSSEC.

If you want notifications to alert you when a user logs in or runs particular 
commands then you need to configure OSSEC to monitor the log files produced by 
the syslog daemon:
(from ossec.conf)
<localfile>
    <log_format>syslog</log_format>
    <location>/var/log/some-log-file</location>
</localfile>
And write some (or edit existing) rules to identify the entries you want to 
trigger alerts:
(from rules/cisco-ios_rules.xml)
<rule id="4722" level="3">
    <if_sid>4715</if_sid>
    <id>^%SEC_LOGIN-5-LOGIN_SUCCESS</id>
    <description>Successful login to the router.</description>
    <group>authentication_success,</group>
</rule>

The cisco rule above is a default rule so you may just need to raise the level 
higher to receive alerts for successful logins.
I hope this helps clear things up a bit!
Regards,
Max Williams


From: ossec-list@googlegroups.com [mailto:ossec-l...@googlegroups.com] On 
Behalf Of Muraleedaran Kanapathy
Sent: 11 May 2010 15:24
To: ossec-list@googlegroups.com
Subject: RE: [ossec-list] RE: ossec for log analysis

Hi Max

Thanks again for the support

What I meant is how to view the syslogs collected   and to search it as below

-       Which user logged in Router A
-       What are the commands the user have typed in Router A

OR can we achieve this using OSSEC, if so can you guide me with an example

OR do we have to use a separate log parsing tool

Also I would like to have the configuration files to get an idea.

Kindly help

Muraleedaran Kanapathy| Linux/Unix System  Engineer -  ISS Department
Voice +966(1) 2888136 | Fax +966(1) 288-8899 ext 1422
Integrated Networks | Faisaliah Tower | Level 7A |
PO Box 53553, Riyadh 11593, KSA | GMT +3 |
Email muralee.kanapa...@inet.net.sa<mailto:muralee.kanapa...@inet.net.sa>


[cid:image001.jpg@01CAF129.7100EE40]


Disclaimer: This electronic mail message contains information that (a) is or 
may be LEGALLY PRIVILEGED, CONFIDENTIAL, ROPRIETARY IN NATURE, OR OTHERWISE 
PROTECTED BY LAW FROM DISCLOSURE, and (b) is intended only for the use of the 
Addressee(s) named herein. If you are not the intended recipient, an addressee, 
or the person responsible for delivering this to an addressee, you are hereby 
notified that reading, using, copying, or distributing any part of this message 
is strictly prohibited. If you have received this electronic mail message in 
error, please contact us immediately and take the steps necessary to delete the 
message completely from your computer system. Unless explicitly attributed, the 
opinions expressed in this message do not necessarily represent the official 
position or opinions of Integrated Networks LLC., whilst all care has been 
taken, Integrated Networks LLC. disclaims all liability for loss or damage to 
person or property arising from this message being infected by computer virus 
or any type of contamination.


________________________________
From: ossec-list@googlegroups.com [mailto:ossec-l...@googlegroups.com] On 
Behalf Of Max Williams
Sent: Tuesday, May 11, 2010 12:06 PM
To: ossec-list@googlegroups.com
Subject: RE: [ossec-list] RE: ossec for log analysis


Hi Muraleedaran,

I use syslog-ng running on CentOS, its an excellent syslog daemon with very 
advanced options. I think if I was to do it again I would use rsyslog which is 
very similar to syslog-ng, it will be used in RHEL 6. I also use winlogd on 
windows hosts. I use OSSEC for file integrity checking, log parsing and 
alerting. I also run the rootkit detection feature. I really like it because it 
can parse snort logs too.



With OSSEC and snort you can cover points 10.5.5, 10.6, 11.4 and 11.5 of the 
PCI DSS on both Linux and Windows!



Not sure what you mean by syslog viewer? I just use standard Linux text file 
reader tools like less/cat/more/nano etc.



I have config files I have customised for CentOS/RHEL and also Windows 2008 R2, 
if you want a copy, let me know



Best Regards,

Max Williams



From: ossec-list@googlegroups.com [mailto:ossec-l...@googlegroups.com] On 
Behalf Of Muraleedaran Kanapathy
Sent: 10 May 2010 14:59
To: ossec-list@googlegroups.com
Subject: RE: [ossec-list] RE: ossec for log analysis



Hi Max



Thanks a lot for the reply



May I know what did you   use to collect the logs from network devices? (Router 
and switches)



And OSSEC did you use it only for File Integrity check, if so what is the 
syslog and syslog viewer you implemented





Kindly advice


Muraleedaran Kanapathy| Linux/Unix System  Engineer -  ISS Department
Voice +966(1) 2888136 | Fax +966(1) 288-8899 ext 1422
Integrated Networks | Faisaliah Tower | Level 7A |
PO Box 53553, Riyadh 11593, KSA | GMT +3 |
Email muralee.kanapa...@inet.net.sa<mailto:muralee.kanapa...@inet.net.sa>


[cid:image001.jpg@01CAF129.7100EE40]


Disclaimer: This electronic mail message contains information that (a) is or 
may be LEGALLY PRIVILEGED, CONFIDENTIAL, ROPRIETARY IN NATURE, OR OTHERWISE 
PROTECTED BY LAW FROM DISCLOSURE, and (b) is intended only for the use of the 
Addressee(s) named herein. If you are not the intended recipient, an addressee, 
or the person responsible for delivering this to an addressee, you are hereby 
notified that reading, using, copying, or distributing any part of this message 
is strictly prohibited. If you have received this electronic mail message in 
error, please contact us immediately and take the steps necessary to delete the 
message completely from your computer system. Unless explicitly attributed, the 
opinions expressed in this message do not necessarily represent the official 
position or opinions of Integrated Networks LLC., whilst all care has been 
taken, Integrated Networks LLC. disclaims all liability for loss or damage to 
person or property arising from this message being infected by computer virus 
or any type of contamination.




________________________________

From: ossec-list@googlegroups.com [mailto:ossec-l...@googlegroups.com] On 
Behalf Of Max Williams
Sent: Monday, May 10, 2010 3:57 PM
To: 'ossec-list@googlegroups.com'
Subject: [ossec-list] RE: ossec for log analysis



Hi Muraleedaran,

You cannot browse all windows events from the web interface, you can only view 
Windows Events that have been triggered by a rule to generate an alert. Take a 
look in this file on the ossec server:

<osse_path>/rules/msauth_rules.xml

You could write your own rule to generate alerts for other events.

If you wish to browse all events for many hosts you could use Windows Event 
Collector or use winlogd to send events to a syslog server (which is what we do 
for PCI DSS)

Cheers,

Max



From: ossec-list@googlegroups.com [mailto:ossec-l...@googlegroups.com] On 
Behalf Of Muraleedaran Kanapathy
Sent: 08 May 2010 17:07
To: ossec-l...@ossec.net
Subject: [ossec-list] ossec for log analysis





Dear Sirs



We are in the process of installing the OSSEC for the log analyzing purposes 
for the PCI DSS requirement



In windows I have installed the OSSEC agent, but I am unable to see any Windows 
event logs such Application, System, except for the Security logs ( Including 
CISCO logs)



How can I search these logs via ossec web interface




Muraleedaran Kanapathy| Linux/Unix System  Engineer -  ISS Department
Voice +966(1) 2888136 | Fax +966(1) 288-8899 ext 1422
Integrated Networks | Faisaliah Tower | Level 7A |
PO Box 53553, Riyadh 11593, KSA | GMT +3 |
Email muralee.kanapa...@inet.net.sa<mailto:muralee.kanapa...@inet.net.sa>


[cid:image001.jpg@01CAF129.7100EE40]


Disclaimer: This electronic mail message contains information that (a) is or 
may be LEGALLY PRIVILEGED, CONFIDENTIAL, ROPRIETARY IN NATURE, OR OTHERWISE 
PROTECTED BY LAW FROM DISCLOSURE, and (b) is intended only for the use of the 
Addressee(s) named herein. If you are not the intended recipient, an addressee, 
or the person responsible for delivering this to an addressee, you are hereby 
notified that reading, using, copying, or distributing any part of this message 
is strictly prohibited. If you have received this electronic mail message in 
error, please contact us immediately and take the steps necessary to delete the 
message completely from your computer system. Unless explicitly attributed, the 
opinions expressed in this message do not necessarily represent the official 
position or opinions of Integrated Networks LLC., whilst all care has been 
taken, Integrated Networks LLC. disclaims all liability for loss or damage to 
person or property arising from this message being infected by computer virus 
or any type of contamination.

<<inline: image001.jpg>>