[ossec-list] New opensource SIEM (LightSIEM) with OSSEC support

2015-03-28 Thread Daniil Svetlov 
Hi, community!

I have suffer of lacking SIEM system for OSSEC for several years. I tried 
Splunk, but it is very expensive. I  also tried OSSEC WebUI, but I deleted 
it after few hours. A lot of time I sent OSSEC alerts to Prelude IDS and 
used Prewikka as web interface, but it have some bugs and was not actively 
developed.

I saw several articles about parsing OSSEC in Logstash and Elasticsearch. 
It inspired me to create a batch of configs for parsing OSSEC and Snort 
logs.
I created some patterns for parsing OSSEC and Snort alerts and now I plan 
to add more possible event sources. I wrote configs for Elasticsearch and 
Logstash, made few dashborads for Kibana as main part of WebUI.
Kibana havn't got builtin authentication, so i found another project - 
Kibana Authentication Proxy and add it to my configuration too.
I have also create some common model for SIEM messages based on IDMEF class 
hierarchy. I hope it will help to normalize events from different sources 
to one format. And that will help to analyze and visualize them.

At the end of all that work I have make ansible playbook for easy and fast 
deploing all stuff and configs. So, my playbook take all that things 
together and run. 

Try LightSIEM progect on GitHub https://github.com/dsvetlov/lightsiem

Hope it will help somebody to deploy free and opensource SIEM. 

I will be thankful for all your comments, advices and suggestions.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: New opensource SIEM (LightSIEM) with OSSEC support

2015-03-28 Thread Daniil Svetlov 
Hi, Dmitry!

Yes, it is possible to deploy LightSIEM on one server with OSSEC. It's good 
design for small  and medium deployments. But if you want, you can separate 
ossec, logstash and elasticsearch with Kibana on three servers. 
Only one requirement is that elasticsearch and kibana must sit on one 
server. Small problem with ES is that it haven't got builtin 
authentication. So, by default, it just listen port and everybody can make 
query  select or delete documents from index. But Kibana and Kibana 
Authentication Proxy is solving that problem.

I can recommend deploy LightSIEM on separate server because it can generate 
more load and require more disk space. Also, I usually make hardened OSSEC 
servers with only 1514 and 22 ports open. With additional opened ports for 
ELK attack surface is large. 

суббота, 28 марта 2015 г., 22:35:38 UTC+3 пользователь Dmitry Sherman 
написал:
>
> The fact it's using Kibana & Logstash along with it's opensource nature is 
> nice.
> Is it possible to deploy on the same server of ossec vm appliance or you 
> recommend a separate machine? Where should it sit by design?
> Thanks a lot! 
>
> On Saturday, March 28, 2015 at 7:29:54 PM UTC+3, Daniil Svetlov wrote:
>>
>> Hi, community!
>>
>> I have suffer of lacking SIEM system for OSSEC for several years. I tried 
>> Splunk, but it is very expensive. I  also tried OSSEC WebUI, but I deleted 
>> it after few hours. A lot of time I sent OSSEC alerts to Prelude IDS and 
>> used Prewikka as web interface, but it have some bugs and was not actively 
>> developed.
>>
>> I saw several articles about parsing OSSEC in Logstash and Elasticsearch. 
>> It inspired me to create a batch of configs for parsing OSSEC and Snort 
>> logs.
>> I created some patterns for parsing OSSEC and Snort alerts and now I plan 
>> to add more possible event sources. I wrote configs for Elasticsearch and 
>> Logstash, made few dashborads for Kibana as main part of WebUI.
>> Kibana havn't got builtin authentication, so i found another project - 
>> Kibana Authentication Proxy and add it to my configuration too.
>> I have also create some common model for SIEM messages based on IDMEF 
>> class hierarchy. I hope it will help to normalize events from different 
>> sources to one format. And that will help to analyze and visualize them.
>>
>> At the end of all that work I have make ansible playbook for easy and 
>> fast deploing all stuff and configs. So, my playbook take all that things 
>> together and run. 
>>
>> Try LightSIEM progect on GitHub https://github.com/dsvetlov/lightsiem
>>
>> Hope it will help somebody to deploy free and opensource SIEM. 
>>
>> I will be thankful for all your comments, advices and suggestions.
>>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Can OSSEC log all process the user open in Microsoft Windows?

2015-03-29 Thread Daniil Svetlov 
Hi!

You need first of all configure windows audit for logging processes starts 
etc.
Then you need to create appropriate decoders and rules for OSSEC.

воскресенье, 29 марта 2015 г., 14:22:01 UTC+3 пользователь Nhen Panha 
написал:
>
> Hi sir!
>
> Last week I have install OSSEC to monitor my Windows Server and Windows 
> 8.1.
>
> I want to control all activities that users do something in My Windows for 
> example I want to know when user open browser, copy document, .
>
> What should I config OSSEC manager and my Windows?
>
> Help me please?
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Alert levels.

2015-03-30 Thread Daniil Svetlov 
Hello, Володимир!

By default? using standard e-mail alerting function, no.
But you can define active response script and send e-mail in it.

понедельник, 30 марта 2015 г., 18:49:22 UTC+3 пользователь Володимир 
Іванець написал:
>
> Hello all,
>
> I'm new to OSSEC and I was not able to find answer to one question in 
> documentation. So we can configure every rule with threat level. Question 
> is can we configure e-mail alerts to be sent with different scheduled for 
> different threat levels?
>
> Thanks a lot!
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Sending Windows Event Logs with nxlog

2015-04-18 Thread Daniil Svetlov 
Hi!

You can install LighSIEM (https://github.com/dsvetlov/lightsiem). It use 
Elasticsearch, logstash and Kibana to parse logs of OSSEC and visualize 
them.
LightSIEM contains all patterns for OSSEC (and Snort too). I can help with 
any questions and problems with LightSIEM.

вторник, 14 апреля 2015 г., 22:43:27 UTC+3 пользователь zen@gmail.com 
написал:
>
> before I started using OSSEC I installed graylog2 but it turned out too 
> difficult for me to configure it, IMO I think OSSEC is a little bit easier 
> and almost everything works after installation. 
> I installed this machine by import virtual image to my ESXi, so it had 
> installed all applications to monitoring.
> Of course I still try to - lets say - personalize the interface 
> logstash/kibana but it I have problem that I mentioned in earlier post.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Sending Windows Event Logs with nxlog

2015-04-20 Thread Daniil Svetlov 
Hi!

Ansible download some extra packages from internet. It seems, that it can't
access internet to download them.

пн, 20 апр. 2015, 12:14,  :

> Hello,
> it looks nice, I wanted to install this directly on my OSSEC in my test
> lab but there were some errors, I changed my mind and prepared other server
> with CentOS 7, I did almost all installations but when I wanted to run 
> *ansible-playbook
> lightsiem-master/lightsiem-install.yml* I got this:
>
>
> 
>
>  --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Sending Windows Event Logs with nxlog

2015-04-20 Thread Daniil Svetlov 
Hi!

Thanks for your report. It was a bug. I have already fixed it.

Hope you are enjoing LightSIEM. You can ask me anything about it.

BR, Daniil.

пн, 20 апр. 2015 г. в 17:23, :

> I reinstalled all system and it works.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Sending Windows Event Logs with nxlog

2015-04-22 Thread Daniil Svetlov 
Hi, Andrew!

I have never use ElasticHQ and always make query with curl from command
line((

But I'll test ElasticHQ, when have time enough.

вт, 21 апр. 2015 г. в 12:27, :

> Hi,
> thanks for fixing a bug. I have other question, maybe you would be able to
> help me, this is my post
> https://groups.google.com/forum/#!topic/elastichq/2Jv3klNsFNM
>
> BR, Andrew
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Sending Windows Event Logs with nxlog

2015-04-26 Thread Daniil Svetlov 
Hi, zen.xen!

A'm not sure, that it is possible only with kibana. You can write script,
with will make query to ES, and that insert sum of some fileds back.

чт, 23 апр. 2015 г. в 11:23, :

> Hi Daniil,
> I would lile to add some diagram to my OSSEC interface but I don't know
> how.
> Among events there are *Microsoft-Windows-PrintSpooler[0]*, in the field
> *Details* there are among other things: "AccountName", "Message",
> "param3", "param4", there are many other but I don't need them.
> For example:
>
> "AccountName":"user1", "Message":"Document1 printed on HP, printed pages:
> 1", "param3":"user1", "param4":"HP"
> "AccountName":"user1", "Message":"Document5 printed on HP, printed pages:
> 4", "param3":"user1", "param4":"HP"
>
> "AccountName":"user2", "Message":"Document2 printed on Canon, printed
> pages: 1", "param3":"user2", "param4":"Canon"
> "AccountName":"user2", "Message":"Document3 printed on HP, printed pages:
> 1", "param3":"user2", "param4":"HP"
>
> I would like to create such diagram:
>
> AccountName  Printed pages  Printer
> user15  HP
> user21  Canon
> user21  HP
>
> 5 is a sum both printout. Is it something possible to do?
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Sending Windows Event Logs with nxlog

2015-04-26 Thread Daniil Svetlov 
Can you check please some different time intervals for events. Are these
diagrams show nothing on every time frame or on all of them. I think, that
problem is coused, by some events, that contains text in field
Alert.Analyzer.Level.Normalyzed. I'll try to make some kind of implicit
conversion.

чт, 23 апр. 2015 г. в 17:23, :

> Hi Daniil,
> in LighSIEM there are two diagrams, they show nothing only denoted symbols
> are rotating,
>
>
> 
>
>  --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Sending Windows Event Logs with nxlog

2015-05-02 Thread Daniil Svetlov 
Yes, I think it's possible. But you need to have this information parsed
from logs.

пн, 27 апр. 2015 г. в 12:01, :

> ok, but is it possible do that without sum, just display?
>
> AccountName  Printed pages  Printer
> user11  HP
> user14  HP
> user21  Canon
> user21  HP
>
>
> On Sunday, April 26, 2015 at 7:46:21 PM UTC+2, Daniil Svetlov wrote:
>
>> Hi, zen.xen!
>>
>> A'm not sure, that it is possible only with kibana. You can write script,
>> with will make query to ES, and that insert sum of some fileds back.
>>
>> чт, 23 апр. 2015 г. в 11:23, :
>>
>>> Hi Daniil,
>>> I would lile to add some diagram to my OSSEC interface but I don't know
>>> how.
>>> Among events there are *Microsoft-Windows-PrintSpooler[0]*, in the
>>> field *Details* there are among other things: "AccountName", "Message",
>>> "param3", "param4", there are many other but I don't need them.
>>> For example:
>>>
>>> "AccountName":"user1", "Message":"Document1 printed on HP, printed
>>> pages: 1", "param3":"user1", "param4":"HP"
>>> "AccountName":"user1", "Message":"Document5 printed on HP, printed
>>> pages: 4", "param3":"user1", "param4":"HP"
>>>
>>> "AccountName":"user2", "Message":"Document2 printed on Canon, printed
>>> pages: 1", "param3":"user2", "param4":"Canon"
>>> "AccountName":"user2", "Message":"Document3 printed on HP, printed
>>> pages: 1", "param3":"user2", "param4":"HP"
>>>
>>> I would like to create such diagram:
>>>
>>> AccountName  Printed pages  Printer
>>> user15  HP
>>> user21  Canon
>>> user21  HP
>>>
>>> 5 is a sum both printout. Is it something possible to do?
>>>
>>> --
>>>
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "ossec-list" group.
>>>
>> To unsubscribe from this group and stop receiving emails from it, send an
>>> email to ossec-list+...@googlegroups.com.
>>
>>
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>  --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] send Oracle logs to OSSEC

2015-05-02 Thread Daniil Svetlov 
Hi, Zen!

Can you explain your goals and what you try to do.

All you need is to send logs to OSSEC via syslog.
You can find very detailed manual how to enable syslog input in OSSEC here:
http://ossec-docs.readthedocs.org/en/latest/syntax/head_ossec_config.remote.html

After editing ossec.conf you need issue command
/var/ossec/bin/ossec-control enable client-syslog and then restart OSSEC
daemon.

вт, 28 апр. 2015 г. в 19:52, :

> Hello,
> I was looking for some examples how to send logs from Oracle to OSSEC with
> nxlog but it wasn't succesful so my question is, is it possible or not,
> if is possible how do this, could you help me?
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] ossec-agent installation process automatization on windows

2015-05-14 Thread Daniil Svetlov 
Hi!

I'm trying update ossec-agent key on windows via cli.

I have found, that wingui just make base64decode against key, received from 
server, and write it to file ossec.keys.

If I'll repeate the same manually, is it enough for agent funtioning? Or I 
miss something?

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] How change agent list order in ossec wui v. 0.8

2015-05-22 Thread Daniil Svetlov 
Hi!

It seems that ossec wui not supporting and developing.

You can try https://github.com/dsvetlov/lightsiem

I can answer any about it.

пт, 22 мая 2015, 12:39, Grzegorz Prokopowicz :

> How change agent agent list order ? Need to see them in alphabetical order
> in ossec wui v.0,8
>
> Help please if possible :)
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Ossec with ZeroMQ + Logstash + ELS + Kibana ( Nginx as a Rproxy ) Installations Write-up

2015-05-22 Thread Daniil Svetlov 
Very useful article.
I'm developing ansible playbook, that can install ELK stack with proper 
settings for OSSEC and Snort log parsing.
Project locate here: https://github.com/dsvetlov/lightsiem
I'll use your article to add ZeroMQ input, and everybody will can use it.

понедельник, 20 октября 2014 г., 23:24:15 UTC+3 пользователь Mehmet Dursun 
Ince написал:
>
> Hi everyone
>
> I was try to manage make successfully log transfer from Ossec to Logstash 
> with ZeroMQ. I've read Vic Hargrave and other guys blog post about this 
> purpose. But I thought that trying to parse ossec log file or syslog 
> messages is not easy, for me at least. I realize that ossec sending already 
> parsed data when zeromq feature enabled. But I faced lots of trouble, 
> especially logstash side (because ffi-rzmq packages) while I was trying to 
> install services.
>
> In short, I solved issues and managed to work whole system and write very 
> detailed blog post about this. I believe this installation guide can be 
> useful and time saving for people who want to build same thing.
>
>
> https://www.mehmetince.net/cyber-threat-monitoring-system-with-ossec-zeromq-logstash-elasticsearch-and-kibana/
>
> Thanks
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Russian cyrillic

2015-06-04 Thread Daniil Svetlov 
Pavel, hello from Moscow!

Yes, you have a problem with encoding.
I don't know how OSSEC vm is setup, but I'm maintaining progect based on
Kibana, Logstash and Elasticsearch and experiencing same problems.

Solution is very simple - one line in config of Logstash in my case.
Look at my last commit here:
https://github.com/dsvetlov/lightsiem/commit/5a5b9ae75da88cce702235357f3816d8d0de78c1

You need to find similar "input" section in your vm and place in it line codec
=> plain { charset => "Windows-1251" } like in my commit.

You also can try to use LightSIEM .
It is very easy to deploy if you use CentOS 7.


пт, 15 мая 2015 г. в 12:16, Павел Копцев :

> Hello,
> Just set up a VM with Ossec from the Virtual Appliance template and
> encountered a problem with monitoring Windows event logs.
>
> I set up a security audit for shares under Windows 2008 Server and when
> Ossec gets the log message i get the following output in Kibana -
>
> 2015 Mar 27 12:50:42 WinEvtLog: Security: AUDIT_FAILURE(5145):
> Microsoft-Windows-Security-Auditing: (no user): no domain:
> Hyper-V.domain.com: S-1-5-21-2832557239-2908104349-351431359-2274
> e.zadora IAS 0x1c83c3ea0 File 192.168.8.6 56002 *\\HotSMS
> \\??\\C:\\Folders\\HotSMS \xC1\xE5\xEB\xFF\xEA\xEE\xE2
> \xC5\xE2\xE3\xE5\xED\xE8\xE9\\+ Mars April\\9AA1D4E6.tmp 0xc0080 %%1539\r
>
>
> It seems that logs are passed correctly but not correctly displayed when a
> path to file contains symbols in cyrtillic. When i try to parse ossec
> current log file with iconv and change encoding from utf-8 to cp1251 - the
> correct path in cyrillic is displayed.
>
> So my key question is - how to make the path displayed correct in
> cyrtillic within OSSEC and Kibana web page.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>
-- 

--
С уважением, Светлов Даниил.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: AnaLogi - OSSEC WUI v1.3

2015-06-13 Thread Daniil Svetlov 
Hi, All!

Not sure if this interests you, but I develop SIEM for OSSEC and Snort
based on Elasticsearch, Kibana and Logstash. Kibana provides very nice
modern web-ui. If you have any questions feel free to ask me here in github
project.

https://github.com/dsvetlov/lightsiem

пт, 12 июня 2015 г. в 19:17, Robert Micallef :

> Hi Andy,
>
> Not sure if this interests you but just so you know Analogi also works
> perfectly with OSSEC v2.8.1.
>
> Once again thanks for providing such a nice interface. Helps a lot.
>
> Thanks,
> Robert
>
> On 31 January 2013 at 15:48, Robert Micallef  wrote:
>
>> Hi Andy,
>>
>> It could have been permissions. Actually, it probably was permissions. I
>> think you are right and when I copied from the old server it inherited the
>> same permissions of the server. As I said it is working now, so I can't
>> take a screenshot. I remember messing with permissions on our test server
>> but didn't check the permissions for the production server since copying
>> everything worked.
>>
>> About the time, thanks for that. I see you even left templates yourself
>> :). So far everything works well. Thank you very much.
>>
>> Robert
>>
>>
>> On 30 January 2013 18:04, Andy  wrote:
>>
>>> Hi Robert,
>>>
>>> I would need to see a picture of what is on screen to advise
>>> (permissions, and absolute file paths come to mind). If anyone sees this
>>> again, screen shot (including full URL) would help, and also consider
>>> checking the apache logs, and the browser debugger (Firefox is
>>> ctrl+shift+j).  I would need this to have a think.
>>>
>>> The graphs should always display. If there is no data matching your
>>> query then the graph should be empty. The latest version of AnaLogi has
>>> some functionality on the main page to check for database connectivity,
>>> database structure, whether the database is populated etc.. .so if you
>>> didn't see these errors I would imagine the problem was to do with the
>>> javascript graphing functionality (and not OSSEC/database/data).
>>>
>>> Ah, AM/PM, something I somehow missed. If you look in config.php you
>>> will see a variable $glb_detailtimestamp, this uses the PHP date format,
>>> you can change this config variable and the date format on all/most pages
>>> should update for you.
>>> For syntax look at #Example 4 on:
>>> http://php.net/manual/en/function.date.php
>>>
>>> I planned for this knowing different cultures would prefer different
>>> formats :)
>>>
>>> Andy
>>>
>>>
>>>
>>> On Tuesday, January 29, 2013 2:29:13 PM UTC, Robert Micallef wrote:
>>>
 Hi Andy,

 Just FYI I replaced the files for the GUI with the ones we were using
 in the old server and now everything works. I don't know why it didn't work
 with the files downloaded from github. Anyway it is working well now.
 Thanks for your work.

 Robert

 On Tuesday, January 29, 2013 12:01:23 PM UTC+1, Robert Micallef wrote:
>
> Dear Andy,
>
> I installed the GUI on the actual logging server a few days ago. The
> ossec installation was also performed on that same day. The graphs are not
> appearing. Do you know of any particular dependencies I might have not
> installed on the new server? I installed apache with php. The GUI loads 
> but
> the graphs do not. I thought that maybe there needs to be a few days of
> data in the database before the graphs get generated but it has been 3 
> days
> now.
>
> I also noticed that when going to detail.php, the alerts' timestamps
> are not in 24HR format and nor are they followed with AM or PM. It doesn't
> really make a difference, but  I thought you'd want to know about it.
>
> Thanks a lot.
>
> Robert
>
>  --
>>>
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to ossec-list+unsubscr...@googlegroups.com.
>>> For more options, visit https://groups.google.com/groups/opt_out.
>>>
>>>
>>>
>>
>>
>  --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>
-- 

--
С уважением, Светлов Даниил.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC Searches using the ELK stack

2015-06-26 Thread Daniil Svetlov 
Hello!

I'm building SIEM for OSSEC and Snort on ELK stack.
You can find it on github: https://github.com/dsvetlov/lightsiem

Project contains redy for use logstash patterns and kibana dashboards. It
supports authentication too.
It also capable to send e-mails. Rules for e-mail alerting very flexible
(based on logstash if[] else [] construction), but has itself's pros and
cons.

How you can use it?

First of all you can setup filter for e-mail alerting for logins in
off-hours. I haven't got ready sample, but i'll add it,

Than you can create dashboard with filter on interesting events to track
them visual.

пт, 26 июня 2015 г. в 18:17, :

> Hello OSSEC Guru's,
>
> I'm trying to figure out how to create an OSSEC Query in Kibana (using the
> ELK stack)  that could identify logins at off-hours. I'm looking to hunt
> for user logins at odd hours (I.E. a user logging in at 2 am on Sun), or
> multiple brute-force attempts and so on.
>
> I would also be interested to hear how folks are using OSSEC and the ELK
> stack in their hunting efforts for security anomalies and signs of
> compromise.
>
> Thanks,
>
>
>  --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>
-- 

--
С уважением, Светлов Даниил.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: ossec agent on windows 2008R2 x64

2015-06-26 Thread Daniil Svetlov 
Oleg, hello!

Ossec agent for windows creates file ossec.log in c:\program files\OSSEC\.

Try to open it. Also it can have problems with file permissions.
I recommend first of all remove current agent, then install agent 2.7.1,
enter key and try to run. If it runs properly, then make in-place upgrade
to 2.8.0.

пт, 26 июня 2015 г. в 0:22, SoulAuctioneer :

> You can try running the agent from the command line. Anything in the event
> log? Outside of that, without any more troubleshooting data, there isn't a
> whole lot of guidance I can give.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>
-- 

--
С уважением, Светлов Даниил.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] archives.log and logstash

2015-06-29 Thread Daniil Svetlov 
Hello, Martynas!

I have workin solution in my project LightSIEM.
You can find patterns in file
https://github.com/dsvetlov/lightsiem/blob/master/roles/elk/files/ossec.pattern
You are looking for pettern named OSSEC_MESSAGE_FULL.

вт, 26 мая 2015 г. в 20:07, dan (ddp) :

> On Tue, May 26, 2015 at 7:00 AM, Martynas Buožis  wrote:
> > Hello
> >
> > Maybe anyone has working archives.log integration with logstash ?
> >
> > Thanks for an advise.
> >
>
> I think you can read the file with syslog-ng, strip of the OSSEC
> specific header, and use syslog-ng to foward the log messages to
> logstash. I feel like I looked into stripping the header many years
> ago with syslog-ng, but I don't remember details.
>
> > With best regards
> > Martynas
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google
> Groups "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an email to ossec-list+unsubscr...@googlegroups.com.
> > For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>
-- 

--
С уважением, Светлов Даниил.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: New opensource SIEM (LightSIEM) with OSSEC support

2015-07-03 Thread Daniil Svetlov 
Hello, Theresa!

I'm not go with snort instead of suricata. A have production snort
deployment on my work. It provides access to big amount of log samples and
user experience of LightSIEM.

Anyway, suricata supports all relevant snort log formats. So you can use
all types of snort input in LightSIEM with suricata. If you find some
errors, feel free to report about it - I will try to help and fix them.

пт, 3 июля 2015 г. в 20:14, theresa mic-snare :

> sounds awesome, great work Daniil!
>
> just out of curiosity, why did you decided to go with snort instead of
> suricata?
> http://suricata-ids.org
>
> keep up the good work!
>
>
> Am Samstag, 28. März 2015 17:29:54 UTC+1 schrieb Daniil Svetlov:
>>
>> Hi, community!
>>
>> I have suffer of lacking SIEM system for OSSEC for several years. I tried
>> Splunk, but it is very expensive. I  also tried OSSEC WebUI, but I deleted
>> it after few hours. A lot of time I sent OSSEC alerts to Prelude IDS and
>> used Prewikka as web interface, but it have some bugs and was not actively
>> developed.
>>
>> I saw several articles about parsing OSSEC in Logstash and Elasticsearch.
>> It inspired me to create a batch of configs for parsing OSSEC and Snort
>> logs.
>> I created some patterns for parsing OSSEC and Snort alerts and now I plan
>> to add more possible event sources. I wrote configs for Elasticsearch and
>> Logstash, made few dashborads for Kibana as main part of WebUI.
>> Kibana havn't got builtin authentication, so i found another project -
>> Kibana Authentication Proxy and add it to my configuration too.
>> I have also create some common model for SIEM messages based on IDMEF
>> class hierarchy. I hope it will help to normalize events from different
>> sources to one format. And that will help to analyze and visualize them.
>>
>> At the end of all that work I have make ansible playbook for easy and
>> fast deploing all stuff and configs. So, my playbook take all that things
>> together and run.
>>
>> Try LightSIEM progect on GitHub https://github.com/dsvetlov/lightsiem
>>
>> Hope it will help somebody to deploy free and opensource SIEM.
>>
>> I will be thankful for all your comments, advices and suggestions.
>>
>  --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>
-- 

--
С уважением, Светлов Даниил.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] ossec-maild not sending out any alerts (relaying through ssmtp)

2015-07-04 Thread Daniil Svetlov 
Hello, Theresa!

First of all check spam folder in your gmail account. Probably gmail just
in it mail from OSSEC, because they not look valid.

If you use SMTP server on localhost, check  logs of MTA. It must be in
/var/log/maillog.

пт, 3 июля 2015 г. в 19:19, theresa mic-snare :

> hi ossec'ers,
>
>
> my problem is I can't send out any emails/alert notifications with the
> ossec-maild process. I'm relaying my emails through ssmtp, the
> configuration is valid because I'm able to send out mails to external
> addresses through mailx for instance. But for some reason OSSEC just won't
> send any emails out.
>
> I have the following in my global ossec.conf
>
>
>   
> yes
> x...@gmail.com
> localhost
> x...@gmail.com
>   
>
> So by localhost or 127.0.0.1 it should use ssmtp to send out emails, right?
>
>
> Does the email_from field require to be a ossecm@realdomain? Or can this
> be a gmail address as well? So does it mean the ossecm user needs to send
> out these alerts?
>
> Again tests to send out emails through ssmtp via mailx have been
> successful. so I doubt it's a ssmtp issue here.
>
> Also what I find a little odd is that when i restart ossec through
> ossec-control all the services/processes should be restarted in a specific
> order, right? however when I look at the ossec.log in
> /var/ossec/logs/ossec.log the ossec-maild isn't mentioned at all the
> process itself runs though, when i do a ps -ef |grep ossec-maild
>
> my question now: how can I get the email notifcation in ossec to work?!
>
>
> thanks!
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>
-- 

--
С уважением, Светлов Даниил.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] ossec-maild not sending out any alerts (relaying through ssmtp)

2015-07-05 Thread Daniil Svetlov 
Theresa, try to issue command /var/ossec/bin/ossec-control enable debug. It
will increase log verbosity. Then restart OSSEC, and check
/var/ossec/log/ossec.log.
Also after restart try to issue command "ps aux | grep ossec", and check,
that ossec-maild process is running.

сб, 4 июля 2015 г. в 19:13, theresa mic-snare :

> i've also tried disabling iptables, but that didn't help either...
> but then again i can send out emails with mailx just find, so i don't
> think it's iptables blocking anyway...
>
> any ideas?
>
>
> Am Samstag, 4. Juli 2015 16:41:47 UTC+2 schrieb theresa mic-snare:
>>
>> Hi Daniil,
>>
>> I've already done that. The maillog doesn't show the mail being sent, but
>> there isn't an error either. It seems that the ossec-maild isn't even
>> relaying it to the local smtp mta (ssmtp) because as said before I can send
>> out mails with mailx just fine.
>>
>> The ossec.log doesn't even mention the ossec-maild even though the
>> process is running...
>> Hmm
>
>  --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>
-- 

--
С уважением, Светлов Даниил.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] ossec-maild not sending out any alerts (relaying through ssmtp)

2015-07-07 Thread Daniil Svetlov 
Nice to see that you find solution!

пн, 6 июля 2015 г. в 20:35, theresa mic-snare :

> OK, managed to fix this and face-palming myself
>
> i've tweaked the postfix config a bit, enabled the service and there we
> go...
> ossec-maild is now officially sending out alerts to my email address.
>
> theresa happy :)
>
>
> Am Sonntag, 5. Juli 2015 14:02:29 UTC+2 schrieb Daniil Svetlov:
>
>> Theresa, try to issue command /var/ossec/bin/ossec-control enable debug.
>> It will increase log verbosity. Then restart OSSEC, and check
>> /var/ossec/log/ossec.log.
>> Also after restart try to issue command "ps aux | grep ossec", and check,
>> that ossec-maild process is running.
>>
>> сб, 4 июля 2015 г. в 19:13, theresa mic-snare :
>>
>>> i've also tried disabling iptables, but that didn't help either...
>>> but then again i can send out emails with mailx just find, so i don't
>>> think it's iptables blocking anyway...
>>>
>>> any ideas?
>>>
>>>
>>> Am Samstag, 4. Juli 2015 16:41:47 UTC+2 schrieb theresa mic-snare:
>>>>
>>>> Hi Daniil,
>>>>
>>>> I've already done that. The maillog doesn't show the mail being sent,
>>>> but there isn't an error either. It seems that the ossec-maild isn't even
>>>> relaying it to the local smtp mta (ssmtp) because as said before I can send
>>>> out mails with mailx just fine.
>>>>
>>>> The ossec.log doesn't even mention the ossec-maild even though the
>>>> process is running...
>>>> Hmm
>>>
>>>  --
>>>
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "ossec-list" group.
>>>
>> To unsubscribe from this group and stop receiving emails from it, send an
>>> email to ossec-list+...@googlegroups.com.
>>
>>
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>> --
>>
>> --
>> С уважением, Светлов Даниил.
>>
>  --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>
-- 

--
С уважением, Светлов Даниил.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Querying ossec for indicators of compromise

2015-07-22 Thread Daniil Svetlov 
Hi!

You can use LighSIEM. https://github.com/dsvetlov/lightsiem

It contains all nessecary inputs and patterns for OSSEC. You can use
production ready dashboards and make any query you want.

вт, 7 июля 2015 г. в 18:24, :

> Hello Group,
>
> I was wondering how folks use ossec to search for IOC's (indicators of
> compromise). I have two choices I can use the OSSEC Web UI, or Kabana.
>
> I looking for ideas (and specific query's) of how to hunt using ossec, and
> use it in general for security issues. I.E. I imagine a good query in
> Kabana might be looking for logins at off areas, and things like this.
>
> I would love to hear from ossec guru's and any links to specific resources
> are appreciated.
>
> Thanks!
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>
-- 

--
С уважением, Светлов Даниил.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: SEIM system with OSSEC.

2015-08-09 Thread Daniil Svetlov 
Hello, Jason!

You can also try LightSIEM: https://github.com/dsvetlov/lightsiem
It's free and open source project based on ELK stack. It allows search in
alerts and logs and create visualizations based on received alerts.

вс, 9 авг. 2015 г. в 18:45, 'Jason Long' via ossec-list <
ossec-list@googlegroups.com>:

> Thank you.
> Grant , Can you give me more information? I want to implement SIEM for a
> windows network with 200 clients. Which requirements are need?
>
>
>
> On Saturday, August 8, 2015 8:58 PM, Grant Leonard <
> gr...@castraconsulting.com> wrote:
>
>
> Try Alienvault or OSSIM, they both make good use of OSSEC and add
> additional tools you will need for detecting the spread of malware
>
> On Friday, August 7, 2015 at 6:40:54 AM UTC-4, Jason Long wrote:
>
> Hello Experts.
> How can I launch a SEIM for my local network and find the spread point of
> malware in my local network?
> Any idea? Please let me know which tools are needed.
>
>
> Thank you.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>
-- 

--
С уважением, Светлов Даниил.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Is there any GUI mode fo OSSEC?

2015-08-09 Thread Daniil Svetlov 
Hi, Jorge!

You can also try LightSIEM: https://github.com/dsvetlov/lightsiem
It's free and open source project based on ELK stack. It allows search in
alerts and logs and create visualizations based on received alerts.

пт, 31 июля 2015 г. в 15:00, Jorge Neves :

> Thank you Steve,
>
> I will test it.
>
> Regards
> J
>
>
> quinta-feira, 30 de Julho de 2015 às 19:58:34 UTC+1, Steve MacDougall
> escreveu:
>
>> There a WUI you can download from here:
>>
>> http://www.ossec.net/?page_id=19
>>
>> Is this what you were looking for?
>>
>
>> ___
>> *Steve MacDougall* | *Sr. Systems/Network Administrator*
>> BluePay Canada
>>
>> o:  647.258.3704
>> m:  289.924.1806
>> e:  smacdoug...@bluepay.ca
>> w:  www.bluepay.ca
>> 
>>
>>
>>
>>
>> On 30 July 2015 at 12:51, dan (ddp)  wrote:
>>
>>>
>>> On Jul 30, 2015 12:49 PM, "Jorge Neves"  wrote:
>>> >
>>> > Hi,
>>> >
>>> > Is there any GUI mode fo OSSEC?
>>> >
>>>
>>> Not that I'm aware of. The alert outputs enable you to import the alerts
>>> into a number of tools though.
>>>
>> > Regards
>>> > J
>>> >
>>> > --
>>> >
>>> > ---
>>> > You received this message because you are subscribed to the Google
>>> Groups "ossec-list" group.
>>>
>> > To unsubscribe from this group and stop receiving emails from it, send
>>> an email to ossec-list+...@googlegroups.com.
>>>
>>
>>> > For more options, visit https://groups.google.com/d/optout.
>>>
>> --
>>>
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "ossec-list" group.
>>>
>> To unsubscribe from this group and stop receiving emails from it, send an
>>> email to ossec-list+...@googlegroups.com.
>>>
>>
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>
-- 

--
С уважением, Светлов Даниил.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC WUI can't read alerts.log

2015-08-09 Thread Daniil Svetlov 
Hello, Daniel!

You can also try LightSIEM: https://github.com/dsvetlov/lightsiem
It's free and open source project based on ELK stack. It allows search in
alerts and logs and create visualizations based on received alerts.

If you are familiar with ELK stack, it will be very easy for you to adjust
LightSIEM for your requirements. Also feel free to make any pull requests
or open issues.


вс, 9 авг. 2015 г. в 19:29, theresa mic-snare :

> such a shame that WUI is no longer supported/developed.
> i understand that they rather focus on improving OSSEC than work on a web
> tool that displays the alerts.
> i understand that ELK (especially logstash and kibana) do the job nicely...
>
> but WUI was the perfect pick for my thesis project (test environment) as
> I'm running the OSSEC appliance on a 2gb VM, and I don't have the
> possibility to add more RAM..
> alas elasticsearch and logstash are a memory eating slug therefore I'm
> unable to run ELK on my test server...
> also it would be a bit overkill just for one OSSEC master and one agent.
>
>
>
> Am Samstag, 8. August 2015 22:49:16 UTC+2 schrieb Daniel:
>>
>> Interesting that ossec-wui isn't supported. I downloaded the appliance
>> right from ossec.net and was following the instructions.
>>
>> Went through my running processes and checked out their configs... sure
>> enough, kibana is also included.
>>
>> Opened up a browser to localhost:5601 and Kibana is still running like a
>> champ. Not even going to try to fix the wui since I'm more familiar with
>> ELK.
>>
>> Thanks for the help, Eero.
>>
>> On Saturday, August 8, 2015 at 4:31:42 PM UTC-4, Eero Volotinen wrote:
>>>
>>> Well,
>>>
>>> Check memory_limit on php also.
>>>
>>> Ossec wui is no longer supported. You should use kibana+elastic search
>>> instead of it.
>>>
>>> Eero
>>>
>>> Eero
>>> Thanks for the quick response.
>>>
>>> I chown'ed alerts.log from ossec.ossec to ossec.apache and still got the
>>> error.
>>>
>>> I then chmod'ed alerts.log from 640 to 666 and still got the error.
>>>
>>> Alerts.log is still growing, though. Up to 4.2G.
>>>
>>> On Saturday, August 8, 2015 at 3:29:32 PM UTC-4, Eero Volotinen wrote:

 Well, you need to give correct permissions to apache as wui is running
 under apache uid..

 Eeeo
 8.8.2015 8.27 ip. "Daniel Twardowski"  kirjoitti:

>
> I'm using OSSEC Server Virtual Appliance 2.8.2 and last night I
> configured a few domain controllers to send it their logs. When I came in
> today, the WUI is displaying an error of:
> "Warning:  fopen(/var/ossec/logs/alerts/alerts.log): failed to open
> stream: Value too large for defined data type in
> /opt/lampp/htdocs/ossec-wui/lib/os_lib_alerts.php on line 839"
>
> My alerts.log file is 3.5G. If I delete it and restart ossec services,
> the file is recreated at 3.5G. Is this an issue with file size? If so, can
> I up the log rotation to more than just once a day? And how would I flush
> whatever buffer keeps recreating the 3.5G alerts.log file so I can get 
> back
> to reviewing logs?
>
> Similar, but unanswered message from 2013:
>
> https://groups.google.com/forum/#!msg/ossec-list/topCxSvvmBk/5t4YEfPTTYUJ
>
> Thanks.
>
> Dan
>
> --
>
> ---
> You received this message because you are subscribed to the Google
> Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>
 --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>
-- 

--
С уважением, Светлов Даниил.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: SEIM system with OSSEC.

2015-08-11 Thread Daniil Svetlov 
Jason, LightSIEM maintain one database for all events. It's not important
from what sources it comes. OSSEC and Snort logs goes through normalization
process, where they are parsed in spacial fields and alert level are reduce
for common scale.

Answering your question you need only one server of LightSIEM for building
SIEM.

Also, note, that except others "freeware" SIEM, LightSIEM doesn't contain
any limits and build on  top of opensource and free software.


пн, 10 авг. 2015 г. в 17:42, Grant Leonard :

> a SIEM platform of any kind is a correlation tool for comparing and
> contrasting logs from disparate device types
>
> As you have seen, 3 different folks provided 3 different answers and that
> will likely be true when talking with any professionals.
>
> for 200 devices, you will need a decent size server, OSSIM (and ultimately
> Alienvault) have the OSSEC server running on their main server and remote
> sensor devices allowing you to manually deploy OSSEC agents and control
> OSSEC agent configurations from a GUI as well as command line.
>
> If you are only managing 200 servers and no other log feeds, OSSIM might
> be a good place to start as you will get some pre-canned ideas for writing
> subsequent rules/directives/escalations.
>
> If, however, you choose to add additional feeds, you might keep the 200+
> agents reporting to a remote sensor and use the server for just
> correlation/presentation. Your options are wide open, give it a try!
>
> https://www.alienvault.com/products/ossim
>
>
> Grant Leonard
> Castra Consulting, LLC 
> 919-949-4002
>
> On Sun, Aug 9, 2015 at 10:46 AM, 'Jason Long' via ossec-list <
> ossec-list@googlegroups.com> wrote:
>
>> Thank you.
>> Grant , Can you give me more information? I want to implement SIEM for a
>> windows network with 200 clients. Which requirements are need?
>>
>>
>>
>> On Saturday, August 8, 2015 8:58 PM, Grant Leonard <
>> gr...@castraconsulting.com> wrote:
>>
>>
>> Try Alienvault or OSSIM, they both make good use of OSSEC and add
>> additional tools you will need for detecting the spread of malware
>>
>> On Friday, August 7, 2015 at 6:40:54 AM UTC-4, Jason Long wrote:
>>
>> Hello Experts.
>> How can I launch a SEIM for my local network and find the spread point of
>> malware in my local network?
>> Any idea? Please let me know which tools are needed.
>>
>>
>> Thank you.
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to ossec-list+unsubscr...@googlegroups.com.
>> For more options, visit https://groups.google.com/d/optout.
>>
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to a topic in the
>> Google Groups "ossec-list" group.
>> To unsubscribe from this topic, visit
>> https://groups.google.com/d/topic/ossec-list/oAWYa0XDz1M/unsubscribe.
>> To unsubscribe from this group and all its topics, send an email to
>> ossec-list+unsubscr...@googlegroups.com.
>
>
>> For more options, visit https://groups.google.com/d/optout.
>>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>
-- 

--
С уважением, Светлов Даниил.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: SEIM system with OSSEC.

2015-08-11 Thread Daniil Svetlov 
Hi, Jaime!

I'm not mean aspecially OSSIM.
It was try OSSIM and Prelude (Prewikka).
OSSIM can work only with single user. And only with limited number of OSSEC
agents.
Community version of prewikka uses some kind of deoptimized SQL queries, so
MySQL server can't answer quickly. It also have very poor visualizations.
And it seems that new owners of Prelude remove some functions from
community version.



вт, 11 авг. 2015 г. в 22:35, Jaime Blasco :

> If you are talking about OSSIM, it doesn't contain any limits and it is
> based on top of Open Source and free software as well. There are more than
> 10k installation worldwide and it is maintained by a company and the core
> technology is used in a commercial product as well. It also gives you many
> more capabilities (Netflow, IDS, Vulnerability Scanning, Correlation, Asset
> discovery, IOC matching, etc).
>
> Happy to answer any questions about OSSIM
>
> Regards
>
>
>
> On Tue, Aug 11, 2015 at 12:09 PM, Daniil Svetlov  > wrote:
>
>> Jason, LightSIEM maintain one database for all events. It's not important
>> from what sources it comes. OSSEC and Snort logs goes through normalization
>> process, where they are parsed in spacial fields and alert level are reduce
>> for common scale.
>>
>> Answering your question you need only one server of LightSIEM for
>> building SIEM.
>>
>> Also, note, that except others "freeware" SIEM, LightSIEM doesn't contain
>> any limits and build on  top of opensource and free software.
>>
>>
>> пн, 10 авг. 2015 г. в 17:42, Grant Leonard :
>>
>>> a SIEM platform of any kind is a correlation tool for comparing and
>>> contrasting logs from disparate device types
>>>
>>> As you have seen, 3 different folks provided 3 different answers and
>>> that will likely be true when talking with any professionals.
>>>
>>> for 200 devices, you will need a decent size server, OSSIM (and
>>> ultimately Alienvault) have the OSSEC server running on their main server
>>> and remote sensor devices allowing you to manually deploy OSSEC agents and
>>> control OSSEC agent configurations from a GUI as well as command line.
>>>
>>> If you are only managing 200 servers and no other log feeds, OSSIM might
>>> be a good place to start as you will get some pre-canned ideas for writing
>>> subsequent rules/directives/escalations.
>>>
>>> If, however, you choose to add additional feeds, you might keep the 200+
>>> agents reporting to a remote sensor and use the server for just
>>> correlation/presentation. Your options are wide open, give it a try!
>>>
>>> https://www.alienvault.com/products/ossim
>>>
>>>
>>> Grant Leonard
>>> Castra Consulting, LLC <http://castraconsulting.com/#/>
>>> 919-949-4002
>>>
>>> On Sun, Aug 9, 2015 at 10:46 AM, 'Jason Long' via ossec-list <
>>> ossec-list@googlegroups.com> wrote:
>>>
>>>> Thank you.
>>>> Grant , Can you give me more information? I want to implement SIEM for
>>>> a windows network with 200 clients. Which requirements are need?
>>>>
>>>>
>>>>
>>>> On Saturday, August 8, 2015 8:58 PM, Grant Leonard <
>>>> gr...@castraconsulting.com> wrote:
>>>>
>>>>
>>>> Try Alienvault or OSSIM, they both make good use of OSSEC and add
>>>> additional tools you will need for detecting the spread of malware
>>>>
>>>> On Friday, August 7, 2015 at 6:40:54 AM UTC-4, Jason Long wrote:
>>>>
>>>> Hello Experts.
>>>> How can I launch a SEIM for my local network and find the spread point
>>>> of malware in my local network?
>>>> Any idea? Please let me know which tools are needed.
>>>>
>>>>
>>>> Thank you.
>>>>
>>>> --
>>>>
>>>> ---
>>>> You received this message because you are subscribed to the Google
>>>> Groups "ossec-list" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>> an email to ossec-list+unsubscr...@googlegroups.com.
>>>> For more options, visit https://groups.google.com/d/optout.
>>>>
>>>>
>>>> --
>>>>
>>>> ---
>>>> You received this message because you are subscribed to a topic in the
>>>> Google Groups "ossec-list" group.
>>>> To unsubscribe from this topic, visit

Re: [ossec-list] archives.log and logstash

2015-08-19 Thread Daniil Svetlov 
Hello, Dan.

Yes, you can use that pattern for reading archives.log and also you can use
tool like logstash forwarder, if your logstash afe installed on separate
server.

Feel free to ask me, if you have any questions.

вт, 18 авг. 2015, 21:11, Dan Burns :

> Hi Daniil,
>
> I'm interested in using your pattern to read the archives.log file with
> Logstash, am I correct that I can use this on the file input for the
> archives.log file to properly parse messages?
>
>
> On Monday, June 29, 2015 at 5:16:34 PM UTC-4, Daniil Svetlov wrote:
>
>> Hello, Martynas!
>>
>> I have workin solution in my project LightSIEM.
>> You can find patterns in file
>> https://github.com/dsvetlov/lightsiem/blob/master/roles/elk/files/ossec.pattern
>> You are looking for pettern named OSSEC_MESSAGE_FULL.
>>
>> вт, 26 мая 2015 г. в 20:07, dan (ddp) :
>>
>>> On Tue, May 26, 2015 at 7:00 AM, Martynas Buožis  wrote:
>>> > Hello
>>> >
>>> > Maybe anyone has working archives.log integration with logstash ?
>>> >
>>> > Thanks for an advise.
>>> >
>>>
>>> I think you can read the file with syslog-ng, strip of the OSSEC
>>> specific header, and use syslog-ng to foward the log messages to
>>> logstash. I feel like I looked into stripping the header many years
>>> ago with syslog-ng, but I don't remember details.
>>>
>>> > With best regards
>>> > Martynas
>>> >
>>> > --
>>> >
>>> > ---
>>> > You received this message because you are subscribed to the Google
>>> Groups "ossec-list" group.
>>>
>> > To unsubscribe from this group and stop receiving emails from it, send
>>> an email to ossec-list+...@googlegroups.com.
>>
>>
>>> > For more options, visit https://groups.google.com/d/optout.
>>>
>>> --
>>>
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "ossec-list" group.
>>>
>> To unsubscribe from this group and stop receiving emails from it, send an
>>> email to ossec-list+...@googlegroups.com.
>>
>>
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>> --
>>
>> --
>> С уважением, Светлов Даниил.
>>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>
-- 

--
С уважением, Светлов Даниил.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Linux auditd support

2015-10-06 Thread Daniil Svetlov 
Hello!

I have just try to compile ossec 2.8.2 and test linux auditd support. But, when 
I was restart agebt, and saw error in log: invalid value for element 
'log_format': linux_auditd.

Is auditd curently supports in ossec?

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Linux auditd support

2015-10-06 Thread Daniil Svetlov 
I was found this 
article:http://sgros.blogspot.ru/2012/08/implementing-ossec-log-reader-for-linux.html?m=1

And thought, that it is already implemented.

Tha problem with auditd logs, that they are multiline and ossec needs to 
correlate that lines to analize entire event.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] How to Query OSSEC for certain events (Hunting Techniques)

2015-11-03 Thread Daniil Svetlov 
I'm using LightSIEM - based on ELK system that can blow all OSSEC and Snort
messages to sуmantec pieces with you can use in search queryes later.

вт, 22 сент. 2015 г. в 17:53, :

> Hello Group!
>
> I'm using the Logstash / Kibana (as well as the OSSEC basic web interface).
>
> In Kibana I use a table view to sort OSSEC events by number and this helps
> zero in on suspicious events. While the basic web interface is fairly
> featureless I found that going to the search screen and searching  for
> events of level 2 (lowest level) and then attack / misuse all sometimes
> nets a event worth investigating.
>
> My question is how do folks use these tools (Kibana and basic OSSEC)
> interfaces to hunt for IOC's and other events of interest? Are there other
> tools I could be running against our OSSEC server.
>
> Any info or suggested query's are appreciated.
>
> Thanks,
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>
-- 

--
С уважением, Светлов Даниил.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.