Security monitoring is essential if you want to know what is going on in your network. You need to monitor server and network logs along with account status and usage. Even on a shoestring budget, one must pay attention. Not to mention, this meets several compliance (PCI, SOX, etc…) requirements.

OSSEC combined with Splunk is a free and worthy SIEM solution. OSSEC is open source, and Splunk free allows up to 500 MB of daily logs.

OSSEC is an Open Source Host-based Intrusion Detection System. It performs log analysis, integrity checking, Windows registry monitoring, rootkit detection, real-time alerting, and active response. It runs on most operating systems, including Linux, OpenBSD, FreeBSD, Mac OS X, Solaris, and Windows.

Splunk searches, monitors, and analyzes machine-generated data by applications, systems, and IT infrastructure at scale via a web-style interface. Splunk captures, indexes, and correlates real-time data in a searchable repository from which it can generate graphs, reports, alerts, dashboards, and visualizations.

Together, you have a powerful method to monitor endpoints, alerts based on suspicious activity delivered via email, a dashboard view of coorelated events, lots of canned reports, and an easy way to search through the security information.

Splunk Dashboard

OSSEC Email Alert & Splunk Search

Install OSSEC

To get this set up, first we need to install OSSEC. The OSSEC management software runs on Linux. For full installation directions for both server and agents, OSSEC makes chapter two of the OSSEC book available. The following installs the OSSEC server. Download and install OSSEC.

pubal@ossec01:~> wget http://www.ossec.net/files/ossec-hids-2.6.tar.gz
pubal@ossec01:~> gunzip -d ossec-hids-2.6.tar.gz
pubal@ossec01:~> tar -xvf ossec-hids-2.6.tar
pubal@ossec01:~> cd ossec-hids-2.6
pubal@ossec01:~> sudo ./install.sh
pubal@ossec01:~> /var/ossec/bin/ossec-control start

Install Splunk

After OSSEC is in place, download and install Splunk. I’m only monitoring some high risk assets with this deployment, so I put Splunk on the same server as the OSSEC management software. Splunk has a guide and a video to walk you through the installation.

pubal@ossec01:~> wget http://www.splunk.com/index.php/download_track?file=4.3.1/splunk/linux/splunk-4.3.1-119532-linux-2.6-x86_64.rpm&ac=&wget=true&name=wget&typed=releases
pubal@ossec01:~> rpm -i splunk-4.3.1-119532-linux-2.6-x86_64.rpm
pubal@ossec01:~> /opt/splunk/bin/splunk start

Install the OSSEC for Splunk Application

Splunkbase, a repository of Splunk applications, has an OSSEC application. It contains parsing logic, saved searches, canned reports, and dashboards. As long as OSSEC is installed in the default path, it will automatically configure Splunk to pull in the OSSEC logs and alerts. With some minor configuration, it will even let you manage agents through the Splunk console.

Download the OSSEC for Splunk application and point your browser to your new Splunk site. The console will allow you to upload the file you just acquired and install the application.

Download OSSEC for Splunk.
Go to Splunk Console -> http://<servername>:8000/
Click on App in the top menu, and upload the application.

Conclusion

Getting OSSEC logs and alerts into Splunk is a breeze. There is a bit of work to get OSSEC agents on the servers and devices you want to monitor. Like every other SIEM I’ve encountered, in order to get any real value there is a good bit of tuning you need to do. However, once you get this up and running, you’ll have a solid log managment and security monitoring solution at your fingertips.

Sources

http://www.ossec.net
http://www.splunk.com
OSSEC HIDS (Amazon Link)