sounds awesome, great work Daniil! just out of curiosity, why did you decided to go with snort instead of suricata? http://suricata-ids.org
keep up the good work! Am Samstag, 28. März 2015 17:29:54 UTC+1 schrieb Daniil Svetlov: > > Hi, community! > > I have suffer of lacking SIEM system for OSSEC for several years. I tried > Splunk, but it is very expensive. I also tried OSSEC WebUI, but I deleted > it after few hours. A lot of time I sent OSSEC alerts to Prelude IDS and > used Prewikka as web interface, but it have some bugs and was not actively > developed. > > I saw several articles about parsing OSSEC in Logstash and Elasticsearch. > It inspired me to create a batch of configs for parsing OSSEC and Snort > logs. > I created some patterns for parsing OSSEC and Snort alerts and now I plan > to add more possible event sources. I wrote configs for Elasticsearch and > Logstash, made few dashborads for Kibana as main part of WebUI. > Kibana havn't got builtin authentication, so i found another project - > Kibana Authentication Proxy and add it to my configuration too. > I have also create some common model for SIEM messages based on IDMEF > class hierarchy. I hope it will help to normalize events from different > sources to one format. And that will help to analyze and visualize them. > > At the end of all that work I have make ansible playbook for easy and fast > deploing all stuff and configs. So, my playbook take all that things > together and run. > > Try LightSIEM progect on GitHub https://github.com/dsvetlov/lightsiem > > Hope it will help somebody to deploy free and opensource SIEM. > > I will be thankful for all your comments, advices and suggestions. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
