Home > TechBlog > Secret agent, ossec

Secret agent, ossec

Ok, so there are no secrets, I just wanted to add a little spice to the title šŸ˜€

I was recently tasked with investigating the usage of HIDS on some systems, and decided to do the Ossec server and client installation, versus the usual local installation I am used to doing with random nodes that I have configured. I found that once the server portion of Ossec was installed on a host, it was very easy to manage clients, which includes creating keys that the client will use to authenticate with the server. I also enabled the usage of syslog for Ossec, so now I have a router/firewall, switch, and a few hosts in the data center that are remotely logging to the Ossec server, and Ossec is sending out alerts if it see’s anything strange: For example

Received From: x.x.x.x->/var/log/syslog
Rule: 1002 fired (level 2) -> “Unknown problem somewhere in the system.”
Portion of the log(s):

Mar 18 19:01:05 X.X.X.X xapi: [error|XHOST|356 xal_listen|VM (domid: 48) device_event = device shutdown {vbd,51712} D:373b8b99d8b3|event] device_event could not be processed because VM record not in database

So far, I am liking the abilities of Ossec to watch over the HID type stuff, and the remote syslog alerting is also very useful.

If you would like to configure this kinda setup, please use the URL below; I will followup soon with more about this Ossec installation and what I have learned since. Thanks for reading!

http://www.ossec.net/ossec-docs/OSSEC-book-Ch02_SA240.pdf

Advertisements
Categories: TechBlog
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: