Jason, do you have Splunk working with OSSEC? I am planning to do something very similar to what you described. So far I haven't had much luck getting the OSSEC for Splunk plugin to work in a way that is gives me a good overview of my environment. So far the problem I'm having is my Linux systems that forward logs with "ossec" in them are picked up as OSSEC servers rather than agents, but I haven't spent much time with it yet.
- Trey On May 17, 1:59 pm, Jason Frisvold <xenoph...@godshell.com> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On May 12, 2011, at 5:41 AM, treydock wrote: > > > I had to accomplish this a few days ago. See my post here, > >http://itscblog.tamu.edu/ossec-email-alerts-on-active-responses/. I > > have the exact decoder and rules I used to receive emails upon active- > > response execution. > > Thanks for the shout out in the post.. I wasn't the originator of that code, > but I believe I had cleaned it up some.. Regardless, good writeup on the > whole process. > > One thought here. On an active system, you'll likely get a lot of mail > regarding both normal alerts as well as these additional alerts for each > active response. For myself, I'm looking at leveraging Splunk to do this for > me and send me a daily "this is what was blocked" email. I'd love to see > something within OSSEC to do that natively, but then again, I'd rather see > Daniel and the rest work on making OSSECs detection capabilities even better. > :) > > > - Trey > > - --------------------------- > Jason 'XenoPhage' Frisvold > xenoph...@godshell.com > - --------------------------- > "Any sufficiently advanced magic is indistinguishable from technology." > - - Niven's Inverse of Clarke's Third Law > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG/MacGPG2 v2.0.16 (Darwin) > > iEYEARECAAYFAk3SxbIACgkQ8CjzPZyTUTQjLgCgiF9tRFgJjt28ED2R5TY24uDd > xNIAoJVxzDysnvFl1CTFsPtbp+l9ksdf > =TqPo > -----END PGP SIGNATURE-----
