Archive for March, 2012

Secret agent, ossec

Ok, so there are no secrets, I just wanted to add a little spice to the title 😀

I was recently tasked with investigating the usage of HIDS on some systems, and decided to do the Ossec server and client installation, versus the usual local installation I am used to doing with random nodes that I have configured. I found that once the server portion of Ossec was installed on a host, it was very easy to manage clients, which includes creating keys that the client will use to authenticate with the server. I also enabled the usage of syslog for Ossec, so now I have a router/firewall, switch, and a few hosts in the data center that are remotely logging to the Ossec server, and Ossec is sending out alerts if it see’s anything strange: For example

Received From: x.x.x.x->/var/log/syslog
Rule: 1002 fired (level 2) -> “Unknown problem somewhere in the system.”
Portion of the log(s):

Mar 18 19:01:05 X.X.X.X xapi: [error|XHOST|356 xal_listen|VM (domid: 48) device_event = device shutdown {vbd,51712} D:373b8b99d8b3|event] device_event could not be processed because VM record not in database

So far, I am liking the abilities of Ossec to watch over the HID type stuff, and the remote syslog alerting is also very useful.

If you would like to configure this kinda setup, please use the URL below; I will followup soon with more about this Ossec installation and what I have learned since. Thanks for reading!

Categories: TechBlog