Hi, community! I have suffer of lacking SIEM system for OSSEC for several years. I tried Splunk, but it is very expensive. I also tried OSSEC WebUI, but I deleted it after few hours. A lot of time I sent OSSEC alerts to Prelude IDS and used Prewikka as web interface, but it have some bugs and was not actively developed.
I saw several articles about parsing OSSEC in Logstash and Elasticsearch. It inspired me to create a batch of configs for parsing OSSEC and Snort logs. I created some patterns for parsing OSSEC and Snort alerts and now I plan to add more possible event sources. I wrote configs for Elasticsearch and Logstash, made few dashborads for Kibana as main part of WebUI. Kibana havn't got builtin authentication, so i found another project - Kibana Authentication Proxy and add it to my configuration too. I have also create some common model for SIEM messages based on IDMEF class hierarchy. I hope it will help to normalize events from different sources to one format. And that will help to analyze and visualize them. At the end of all that work I have make ansible playbook for easy and fast deploing all stuff and configs. So, my playbook take all that things together and run. Try LightSIEM progect on GitHub https://github.com/dsvetlov/lightsiem Hope it will help somebody to deploy free and opensource SIEM. I will be thankful for all your comments, advices and suggestions. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.