Re: [ossec-list] Re: splunk and ossec

[Paul Southerington]

Those dashboards are keyed of of an eventtype.  Modifying that eventtype is
the easiest approach.

Either add the index to it through the GUI, or create a file at
/opt/splunk/etc/apps/ossec/local/eventtypes.conf with the following:
 [ossec]
 search = index=ossec (sourcetype=ossec* NOT
sourcetype=ossec_agent_control)

 (This is the same as the default setting, but adding the index
explicitly - modify as needed).


Alternately, you can go into Access Controls and add the ossec index to the
user role as one of the indexes that gets searched by default.

Or, you can modify the dashboard XML files themselves to point them at the
right index explicitly.  Untested, but something like this would do it:
cd /opt/splunk/etc/apps/ossec/
mkdir -p local/data/ui/views
cp default/data/ui/views local/data/ui/views
cd local/data/ui/views
for i in *.xml; do sed -i.bak "s/eventtype=ossec/index=ossec
eventtype=ossec
/opt/splunk/bin/splunk restart






On Thu, Jul 20, 2017 at 2:32 PM, Malik, Anita 
wrote:

> Hi there, I have implemented reporting and managing ossec application for
> Splunk. It works fine until I try using a custom index name for the ossec
> syslog in Splunk. I see the logs populating the custom index and I can do
> the search but the dashboards are empty, that integration seems to  break
> while using the custom index name. By default it seems to go in ‘main’,
> ‘default’ indexes in Splunk. Does any one have any ideas on how to make it
> to work with custom index name……thanks!!
> Anita
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC Splunk or other RHEL option?

[Paul Southerington]

In terms of comparison, the OSSEC app and the PCI app for Splunk are
intended to be very different things.

It looks like the PCI app is meant to cover as much of the PCI requirements
as possible, and it knows about the actual PCI requirements themselves. It
looks like maybe it also some asset tracking and/or ticketing stuff as
well, from a quick glance. I haven't used it, though I've used other apps
from Splunk that were built following the same general approach.

The OSSEC app wasn't designed for PCI per se, and doesn't know anything
about the requirements.  But it will probably be fine if you're just
looking to meet the requirements for the File Integrity Monitoring
component.  There are definitely some changes in the works for the OSSEC
app (better documentation around setup in particular, data models, etc.),
but getting them rolled into a public release is heavily dependent on when
I have time to spend on it. The current release seems to work pretty well
from most people, so it hasn't needed urgent updating for the most part.
 And of course, it's free, whereas the PCI app from Splunk is probably not
cheap.

If you do have the PCI app, however, you should be able to feed it file
integrity data from the OSSEC app without major difficulty.



On Mon, Aug 4, 2014 at 9:39 AM, theresa mic-snare 
wrote:

> Hi,
>
> thanks for creating this thread, as I'm also interested in using OSSEC in
> combination with the Splunk App (also on RHEL servers). Also what is the
> difference between the OSSEC app and the PCI DSS compliance app which you
> would have to pay for?!
> do you have any experience with the PCI DSS app?
>
> many thanks in advance,
> theresa
>
> Am Samstag, 12. April 2014 15:27:32 UTC+2 schrieb nicolaszin:
>>
>> Hi,
>>
>> yes the app for splunk (http://apps.splunk.com/app/300/
>> )
>> is 2 years old, but it is still working :-). It is marked as working with
>> splunk 6, and I have a running instance that is working fine with it. Did
>> you give it a try?
>> Do you need instruction how to setup splunk 6 + ossec report?
>>
>> Regards,
>>
>>
>>
>>
>> On Sat, Apr 12, 2014 at 8:56 AM, Glenn Ford  wrote:
>>
>>> Hi all,
>>>
>>> I was originally going to do an OSSEC -> OSSIM setup but running into
>>> some issues with RHEL compliance since OSSIM is Debian.
>>>
>>> Now I was looking at Splunk (Free) Enterprise but noticed the splunk app
>>> to integrate OSSEC is now 2 years old and most likely does not work with
>>> Splunk v6.
>>>
>>> Does anyone have an SIEM solution that has a free crippleware version
>>> such as alientvault ossim or splunk enterprise that works on RHEL?
>>>
>>> Thanks in advance,
>>>
>>> Glenn
>>>
>>> --
>>>
>>> ---
>>> You received this message because you are subscribed to the Google
>>> Groups "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to ossec-list+...@googlegroups.com.
>>>
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>
>>  --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Syslog output to Splunk

[Paul Southerington]

Assuming you're using the OSSEC app for Splunk, it's probably indexing the
local alerts file.

You don't actually need to configure the syslog output on the OSSEC side if
both are on the same server and you want to capture everything.  But since
you want to limit the data coming in, you can use the syslog option and
disable the other input. In the GUI, look under Settings->Data
Inputs->Files & Directories and disable the entry for
/var/ossec/logs/alerts/alerts*

Also, using splunk is generally not needed or recommended
if you're using the app.  It seems counterintuitive I know, but that option
was added well after the Splunk app for OSSEC was written.




On Fri, Jun 20, 2014 at 10:24 AM, cschwieterman 
wrote:

> Hopefully this doesn’t go through twice (first message never went through).
>
> I have syslog outputting to splunk with minimum level set to 6. However,
> everything is being sent to splunk. The level option is not being obeyed by
> OSSEC. I’ve disabled and enabled client-syslog multiple times. Restarted
> OSSEC and the entire server as well. I am trying to prevent windows logon
> successes and logoffs (level 3) as they are eating up my 500mb daily limit
> in splunk. So, I’m not sure why OSSEC is not obeying the min. level
> parameter. OSSEC and Splunk are both on the same server.
>
> 
>
> 6
>
> 127.0.0.1
>
>10002
>
> splunk
>
> 
>
> Any help would be appreciated! Thanks!
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Old "Splunk for OSSEC" app - format issues...

[Paul Southerington]

It's a bit counterintuitive, but use of the "Splunk" output format in
ossec.conf isn't recommended right now if you're using the Splunk for OSSEC
app.  That format was added in an ossec patch long after the app was
written, and it usually isn't needed. The preferred approach is either to
capture /var/log/alerts using the Splunk universal forwarder, or to use the
syslog format.

Could you email off-list directly with a screenshot showing some of the
issues and/or some sample records?

Also, be sure that the sourcetype field is showing up correctly -- for
syslog the sourcetype value should be showing up as just "ossec";  if
that's not right none of the other stuff will be.



On Mon, Sep 9, 2013 at 11:40 AM, Janelle  wrote:

> I wonder if anyone else has seen this:
>
> Run OSSEC Manager and Splunk on same server - everything works perfectly,
> and in fact, when you install "Splunk for OSSEC" app (although dated, still
> works fine) - it reads the data perfectly and no issues with formats. In
> fact, you don't even have to do anything to Splunk, since the APP is
> already configured to monitor the /var/ossec/logs/alerts file(s) and
> related logs.
>
> BUT -- if you setup Splunk on a different server than the OSSEC Manager,
> and use the suggested configuration for sending output to that Splunk
> server with a remote syslog connection on a port (example 10002) with a
> format of "Splunk" - then the Splunk for OSSEC app does NOT read the data
> correctly. You end up with weird double time/date stamps, missing fields of
> the original SRC and DEST and other weird errors.  If you change the output
> format to "Syslog" instead of "Splunk" it is just as bad. And one important
> difference -- if you are using "report_changes" for critical files - in the
> first example, the "diffs" show up in Splunk just fine, but in the 2nd
> example - no matter what format you choose - the diffs no longer appear.
>
> Just wondering if anyone else is using Splunk and the Splunk for OSSEC app
> or just raw Splunk with your own apps and seeing any strange formatting
> errors like this?
>
> I wonder whatever happened to the original "Splunk for OSSEC" authors and
> why it has not been updated in a couple of years?
>
> Oh and this is OSSEC 2.7 (and 2.7.1-beta) with Splunk 5.0.x
>
> Any help would be appreciated - I tried posting in the Splunk forums, but
> no response there.
>
> ~J
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [ossec-list] Re: Forwarding Old Syslogs to SPLUNK

[Paul Southerington]

You can put a Splunk Universal Forwarder on the OSSEC server and have it
monitor the alerts.log file directly. In this scenario Splunk is getting
its data from the alerts file directly, so you would want to remove your
 configuration in ossec.conf.  That gives you "reliable" TCP
transport and encryption as well.



On Fri, Mar 15, 2013 at 2:53 PM, Jb Cheng  wrote:

> One way to do this is to use another syslog client that can read from an
> input file and forward the content to your syslog server.
>
> I have done this using syslog4j (https://sites.google.com/site/syslog4j/)
> in the past.
> Once you have the syslog4j-.jar file downloaded, a command
> similar to the following will forward the content of  to
> the syslog server.
>
> java -cp syslog4j.jar org.productivity.java.syslog4j.Syslog -i
>  -h   -p 514  udp
>
>
> On Monday, March 11, 2013 3:10:19 PM UTC-7, Tony C. wrote:
>>
>> Hello,
>>
>> Currently running on OSSEC 2.6 and we have an issue where our
>> 'ossec-csyslogd' daemon (which forwards logs to our SPLUNK server) will
>> randomly stop. While this is something we hope will get fixed when we
>> upgrade to 2.7, we still have the problem of forwarding the logs that were
>> recorded by OSSEC in '/var/ossec/logs' while the forwarder was down.  I've
>> verified that the logs I want do in fact exist (right down to the time
>> frame that wasn't forwarded), but is there a way to forward these old logs
>> to SPLUNK? I've tried searching for a solution by googling it but either my
>> search 'skills' are rusty or no one has had to deal with this yet.  Hope
>> someone can answer my question.  Thanks!
>>
>  --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [ossec-list] Use OSSEC to monitor a Splunk server's indexes/logs for tampering

[Paul Southerington]

OSSEC won't be able to effectively monitor Splunk's or warm indexes; you are
correct that these files are always changing. Also, the process is more
akin to
database compaction than simple file growth, so you can't just look at file
size
or additions to the end of the file.

Cold and Frozen indexes will be more stable, but you do need to handle the
case
when Splunk rolls old data from cold to frozen or deletes old data.

OSSEC can monitor Splunk's binary and config files just fine; some of the
configs
will be more stable than others, so you may need a little bit of trial and
error to figure
out what needs to be excluded. With the configs, I find it more valuable to
put them
under a version control system like mercurial or subversion.

You may want to look into Splunk's log signing option. This list isn't
really the best forum
to get into too much detail. Splunk-base.splunk.com would be a better place
to ask, but
this should get you started:
http://docs.splunk.com/Documentation/Splunk/latest/admin/Signauditevents




On Thu, Aug 9, 2012 at 9:29 AM, dan (ddp)  wrote:

> On Wed, Aug 8, 2012 at 12:45 PM, Beau  wrote:
> > I'm wondering if anyone uses an OSSEC agent to monitor a Splunk server
> (free
> > edition) for log integrity.  For PCI-DSS, I understand one needs to make
> > sure logs (stored on Splunk, in our case) maintain integrity
> >
> > I'm hoping OSSEC can help achieve this.
> >
> > To put it another way, we already have an OSSEC server monitoring the
> > clients that are in turn logging to the Splunk server, so I think we're
> > covered on some level, ensuring that the clients are not being tampered
> > with, but It would be great to use OSSEC to verify that the centralized
> log
> > sever (splunk) is maintaining integrity as well.
> >
> > Anyone have thoughts on this?
> >
> > Also, I sort of get that you can use OSSEC to monitor specific locations
> for
> > changes, but I assume the Splunk indexes are always changing, so I'm
> unclear
> > how OSSEC could be used to keep it's "eye" on the Splunk data.
>
> OSSEC could potentially detect a logfile getting smaller, but I don't
> know how likely we are to win that race. Beyond that if the logfile is
> text OSSEC could monitor it and forward the logs somewhere else.
>

Re: [ossec-list] WinEventLog:Security events

[Paul Southerington]

I think you have the wrong mailing list.  :-)

This is for OSSEC - if you have Splunk questions, try
http://splunk-base.splunk.com/answers/



On Wed, Feb 1, 2012 at 3:04 PM, biciunas  wrote:

> I'm running a Splunk 4.2.5 server on CentOS. On a Win2k3 server I've
> installed Universal SplunkForwarder 4.3, collecting Application,
> Security, and System events. I don't want to see Security "Success
> Audit" events, since there are about anywhere from 1000-3500 per
> minute. (And I need to have the Audit Success flags turned on the
> server since we need to be CIS server compliant.)
>
> On the server, I have defined
>
> props.conf
> [WinEventLog:Security]
> TRANSFORMS-set=dropevents
>
> transforms.conf
> [dropevents]
> REGEX = (?msi)^EventCode=(560|562|567).*^(Type=Audit Success)
> DEST_KEY = queue
> FORMAT = nullQueue
>
> I've tried various forms of the REGEX, including just the EventCodes,
> one EventCode, etc. Nothing seems to work; no events are dropped. I
> read that this was a known issue before 4.2.1, but it is not listed in
> the 4.3 known issues. Can anyone enlighten me as to what I may be
> doing wrong?
>

Re: Re : Re : [ossec-list] unable to run data collection

[Paul Southerington]

What version of Splunk, and what version of the app?

If you run the following commands as root, do you get the same error?
 cd /opt/splunk/etc/apps/ossec/bin
 /opt/splunk/bin/python ossec_agent_status.py


If you do, then either download the app from SplunkBase again, or edit
ossec_agent.py at line 58 as shown:
except Exception, e:
status = [ 'Error: Unable to run data collection. ' + str(e)
]
ossec = None

That should at least provide a little more detail.



On Thu, Feb 17, 2011 at 7:50 AM, ruta  wrote:

> Hi,
>
> When I run "ossec_agent_status" manually,I get a list of all Available
> Agents and all have status "Active".
> When for example I login on ossec agent as root with wrong password,it is
> reported live in Splunk(authentication failure).
> But I still have in Splunk error message:"Unable to run data collection"
>
> Regards,
>
>
> --
> *De :* dan (ddp) 
>
> *À :* ossec-list@googlegroups.com
> *Envoyé le :* Mer 16 février 2011, 21h 32min 20s
> *Objet :* Re: Re : [ossec-list] unable to run data collection
>
> What happens when you run this "ossec_agent_status" manually?
>
> On Wed, Feb 16, 2011 at 8:03 AM, Ruta Jn  wrote:
> > Hi Paul,
> >
> > As you have suggested,I have tried to remove 'sudo' from the command line
> in
> > ossec_servers.conf  (Splunk is running as root and is installed on the
> same
> > server as Ossec), but I still have message: Server: Hostname ossec
> server,
> > Error:Unable to run data collection when I make search in Splunk.
> >
> > Below extract from my code after removing 'sudo',stopping splunk and
> > restarting splunk
> >
> > # Local server, with automatically determined hostname
> >
> > # Uncomment the second line to enable agent management.
> >
> > #
> >
> > [_local]
> >
> > AGENT_CONTROL =  /var/ossec/bin/agent_control -l
> >
> > MANAGE_AGENTS =  /var/ossec/bin/manage_agents
> >
> > Regards,
> >
> > John
> >
> >
> > 
> > De : Paul Southerington 
> > À : ossec-list@googlegroups.com
> > Envoyé le : Mar 15 février 2011, 19h 56min 07s
> > Objet : Re: [ossec-list] unable to run data collection
> >
> >
> > That error is coming from the OSSEC plugin to Splunk, rather than from
> OSSEC
> > itself.
> > It means that something went wrong when Splunk tried to run
> > ossec_agent_control to get the list of agents and their
> > connected/disconnected status.
> > The most likely thing is that you need to either remove 'sudo' from the
> > command line in ossec_servers.conf  (if Splunk is running as root), or
> add
> > the needed lines in /etc/sudoers to allow the command to run without a
> > password prompt.
> > If you don't care about polling the agent status, you can also just
> disable
> > the ossec_agent_status scripted input in the Splunk Manager.
> >
> >
> > On Tue, Feb 15, 2011 at 5:14 AM, Ruta Jn  wrote:
> >>
> >> Hi,
> >>
> >> I am using ossec and splunk.I get from ossec server:"Error : Unable to
> run
> >> data collection".What is wrong and how I can fix that problem?
> >>
> >> Regards,
> >>
> >> John
> >>
>
>

Re: [ossec-list] unable to run data collection

[Paul Southerington]

That error is coming from the OSSEC plugin to Splunk, rather than from OSSEC
itself.

It means that something went wrong when Splunk tried to run
ossec_agent_control to get the list of agents and their
connected/disconnected status.

The most likely thing is that you need to either remove 'sudo' from the
command line in ossec_servers.conf  (if Splunk is running as root), or add
the needed lines in /etc/sudoers to allow the command to run without a
password prompt.

If you don't care about polling the agent status, you can also just disable
the ossec_agent_status scripted input in the Splunk Manager.



On Tue, Feb 15, 2011 at 5:14 AM, Ruta Jn  wrote:

> Hi,
>
> I am using ossec and splunk.I get from ossec server:"Error : Unable to run
> data collection".What is wrong and how I can fix that problem?
>
> Regards,
>
> John
>
>

Re: [ossec-list] OSSEC Windows agent runs for awhile and then stops

[Paul Southerington]

It sounds like an issue in syscheck somewhere.

If you turn syscheck off temporarily, does the problem go away?   Also, you
might look for
exceedingly long  entries, or entries for directories that
don't actually exist.

Syscheck on Windows can also have issues if you don't have at least one
valid registry
key defined for monitoring.



On Fri, Jan 7, 2011 at 8:51 AM, Youngquist, Jason R.
wrote:

> Last weekend I installed OSSEC on a number of servers.  On one Windows
> server OSSEC will run for awhile, and then it will stop.  I went into the
> server and re-started OSSEC, and it ran for awhile and then stopped again.
>
> Here's a snippet from the OSSEC log file from the machine.
>
>
> 2011/01/04 13:31:21 ossec-agent(1950): INFO: Analyzing file:
> 'C:\WINNT\System32\LogFiles\W3SVC31\ex110104.log'.
> 2011/01/04 13:31:21 ossec-agent: INFO: Started (pid: 3500).
> 2011/01/04 13:32:41 ossec-agent: INFO: Starting rootcheck scan.
> 2011/01/04 13:32:47 ossec-agent: INFO: Ending rootcheck scan.
> 2011/01/05 00:02:11 ossec-agent(1952): INFO: Monitoring variable log file:
> 'C:\WINNT\System32\LogFiles\W3SVC20\ex110105.log'.
> 2011/01/05 00:02:11 ossec-agent(1103): ERROR: Unable to open file
> 'C:\WINNT\System32\LogFiles\W3SVC20\ex110105.log'.
> 2011/01/05 00:02:11 ossec-agent(1952): INFO: Monitoring variable log file:
> 'C:\WINNT\System32\LogFiles\W3SVC30\ex110105.log'.
> 2011/01/05 00:02:11 ossec-agent(1103): ERROR: Unable to open file
> 'C:\WINNT\System32\LogFiles\W3SVC30\ex110105.log'.
> 2011/01/05 00:02:11 ossec-agent(1952): INFO: Monitoring variable log file:
> 'C:\WINNT\System32\LogFiles\W3SVC31\ex110105.log'.
> 2011/01/05 00:02:11 ossec-agent(1103): ERROR: Unable to open file
> 'C:\WINNT\System32\LogFiles\W3SVC31\ex110105.log'.
> 2011/01/05 09:32:51 ossec-agent: INFO: Starting rootcheck scan.
> 2011/01/05 09:32:57 ossec-agent: INFO: Ending rootcheck scan.
> 2011/01/05 09:32:57 ossec-agent(1105): ERROR: Attempted to use null string.
>
> This machine is a webserver and the log files referenced above are weblogs
> which can get pretty big.
>
> It looks like on " 2011 Jan 05 10:04:57" I received an alert from OSSEC
> that the OSSEC agent installed on the server was disconnected
>
>
> I did some googling for '"Attempted to use null string" ossec' and didn't
> have much luck.  Thoughts on what the issue might be?
>
> Thanks.
> Jason Youngquist
> Information Technology Security Engineer
> Technology Services
> Columbia College
> 1001 Rogers Street, Columbia, MO  65216
> (573) 875-7334
> jryoungqu...@ccis.edu
> http://www.ccis.edu
>
>

Re: [ossec-list] Has anyone seen spikes of high CPU usage with the 2.3 Windows Agent?

[Paul Southerington]

We saw this in a test deployment at one point - I'm not sure of the version
number at the time, but 2.3 sounds about right.  Upgrading to 2.4 resolved
it for us.


On Fri, Sep 24, 2010 at 9:51 AM, Jason Mantor  wrote:

> I have found a couple of machines were OSSEC and other processes were
> spiking the CPU up to 100% every few minutes.
> Restarting the service or rebooting the box cleared it up, but I'm
> wondering if windows updates or some other environmental factor is
> causing this?
>

Re: [ossec-list] Re: OSSEC & Splunk integration

[Paul Southerington]

That sounds like Splunk's automatic sourcetype assignment. How do you have
the data coming in? (syslog? Direct to a Splunk listening port? Or pointed
directly to the OSSEC alerts file on the local machine?)

If you look in inputs.conf, or in the Manager within Splunk you should be
able to set the sourcetype to 'ossec' there.



On Thu, Apr 15, 2010 at 8:25 AM, Joel Merrick wrote:

> On Thu, Apr 15, 2010 at 1:22 PM, Joel Merrick 
> wrote:
> > Well, it doesn't seem to be displaying anything...
> >
> > OSSEC log directory is being monitored, however sourcetype="ossec"
> > produced nothing. Files have been indexed.
> >
> > Any ideas?
>
> Seems as though the string parsing is not right.
>
> splunk is setting the sourcetype to ossec-{level}
>
> A simple recode in the search query from
>
> sourcetype="ossec"
>
> to
>
> sourcetype="ossec*"
>
> Works.
>
>
> >
> > On Thu, Apr 15, 2010 at 1:05 PM, Joel Merrick 
> wrote:
> >> I have this working now,
> >>
> >> I had to manually add an application, then copy the contents of the
> >> tarball... restart.. works!
> >>
> >> h.t.h.
> >>
> >> --
> >> $ echo "kpfmAdpoofdufevq/dp/vl" | perl -pe 's/(.)/chr(ord($1)-1)/ge'
> >>
> >
> >
> >
> > --
> > $ echo "kpfmAdpoofdufevq/dp/vl" | perl -pe 's/(.)/chr(ord($1)-1)/ge'
> >
>
>
>
> --
> $ echo "kpfmAdpoofdufevq/dp/vl" | perl -pe 's/(.)/chr(ord($1)-1)/ge'
>
>
> --
> To unsubscribe, reply using "remove me" as the subject.
>

Re: [ossec-list] Re: OSSEC & Splunk integration

[Paul Southerington]

Did Joel's suggestion make any difference for you?

If not, what version of Splunk are you running, and is it the free license
or enterprise?



On Wed, Apr 14, 2010 at 5:11 PM, uifjlh  wrote:

> Paul,
>
> I seem to have some piece missing my self ? ...  the search part of
> Splunk Works, and I have OSSEC Data there, from my OSSEC clients to
> the OSSEC server, (the same box as the Splunk server) ... but when I
> try the OSSEC plugin... this is the error I get.
>
> 500 Internal Server Error
>
> TypeError: 'NoneType' object is unsubscriptable
>
> This page was linked to from
> http://lcua141:8000/en-US/app/search/dashboard.
>
> Observations/pointers/suggestions welcome.
>
> Thank you very much
>
> JLH
>
> On Apr 11, 8:31 pm, Paul Southerington  wrote:
> > Probably the Splunk side.  I'm assuming you're using Splunk 4.x and the
> 4.x
> > OSSEC app. If not, ignore everything else I say... :-)
> >
> > I've actually been considering making it do that out-of-the-box.  If
> other
> > people want that, please let me know.
> >
> > Right now, you can search on 'reporting_host' instead, or you can try the
> > following. I haven't really tested this yet, so let me know if you have
> > issues:
> >
> > 1)  If the directory isn't already there,  mkdir
> > /opt/splunk/etc/apps/ossec/local
> >
> > 2)  Paste the following into
> > /opt/splunk/etc/apps/ossec/local/transforms.conf
> > 
> > [ossec-syslog-hostoverride1]
> > #  Location: (winsrvr) 10.20.30.40->WinEvtLog;
> > DEST_KEY = MetaData:Host
> > REGEX = ossec: Alert.*?Location: \((.*?)\) ([\d\.]+)->
> > FORMAT = host::$1
> >
> > [ossec-syslog-hostoverride2]
> > DEST_KEY = MetaData:Host
> > REGEX = ossec: Alert.*?Location: ([^\(\)]+)->
> > FORMAT = host::$1
> >
> > [ossec-syslog-ossecserver]
> > REGEX = \s(\S+) ossec:\s
> > FORMAT = ossec_server::$1
> > 
> >
> > 3) Paste the following into /opt/splunk/etc/apps/ossec/local/props.conf
> > 
> > [ossec]
> > FIELDALIAS-ossec-server=
> > REPORT-ossecserver = ossec-syslog-ossecserver
> > TRANSFORMS-host = ossec-syslog-hostoverride1,ossec-syslog-hostoverride2
> > 
> >
> >
> >
> > On Wed, Apr 7, 2010 at 2:25 AM, Xavier Mertens 
> wrote:
> > > Damn! I found the problem. I had two data-inputs created to receive
> syslog
> > > messages from the OSSEC server!
> > > Removed one and it works perfectly now!
> >
> > > BTW, I'm now investigating something else: All events collected by
> OSSEC
> > > are coming from 'localhost' (1 source).
> > > Is there a way to extract the original hostname/IP from the OSSEC
> message
> > > and force Splunk to use it as the event source? I would like to have 1
> > > source host per OSSEC agent.
> >
> > > Do I need to investigate on OSSEC or Splunk side? Any input is welcome!
> >
> > > /x
> >
> > > On Wed, Apr 7, 2010 at 3:09 AM, Ray Nutting 
> wrote:
> >
> > >> I would check your alerts.log file on your hids and make sure your
> agents
> > >> are reporting to the HIDS server.  only your ossec server should be
> > >> configured with syslog_output forwarding to splunk.  would also
> recommend
> > >> the following sites for further reading.
> > >>http://securityisfutile.blogspot.com
> > >> orhttp://splunk.com(Splunkbase web site) and grab the *splunk for
> ossec
> > >> app*.  good luck!
> >
> > >> On Mon, Apr 5, 2010 at 12:45 PM, Xavier Mertens  >wrote:
> >
> > >>> Hi *,
> >
> > >>> I'm testing the integration of OSSEC with Splunk. I followed the
> > >>> configuration as describe in the Wiki. It works!
> > >>> Splunk runs on my OSSEC server. The problem I have at the moment:
> only
> > >>> events generated by the server are sent to Splunk.
> > >>> I don't see any trace of events generated by the remote agents.
> >
> > >>> Did I miss something in the design? ALL agents must have the
> > >>> syslog_output enabled?
> >
> > >>> /x
> >
> > >>> --
> > >>> My server is com

Re: [ossec-list] OSSEC & Splunk integration

[Paul Southerington]

Probably the Splunk side.  I'm assuming you're using Splunk 4.x and the 4.x
OSSEC app. If not, ignore everything else I say... :-)

I've actually been considering making it do that out-of-the-box.  If other
people want that, please let me know.

Right now, you can search on 'reporting_host' instead, or you can try the
following. I haven't really tested this yet, so let me know if you have
issues:


1)  If the directory isn't already there,  mkdir
/opt/splunk/etc/apps/ossec/local

2)  Paste the following into
/opt/splunk/etc/apps/ossec/local/transforms.conf

[ossec-syslog-hostoverride1]
#  Location: (winsrvr) 10.20.30.40->WinEvtLog;
DEST_KEY = MetaData:Host
REGEX = ossec: Alert.*?Location: \((.*?)\) ([\d\.]+)->
FORMAT = host::$1

[ossec-syslog-hostoverride2]
DEST_KEY = MetaData:Host
REGEX = ossec: Alert.*?Location: ([^\(\)]+)->
FORMAT = host::$1

[ossec-syslog-ossecserver]
REGEX = \s(\S+) ossec:\s
FORMAT = ossec_server::$1


3) Paste the following into /opt/splunk/etc/apps/ossec/local/props.conf

[ossec]
FIELDALIAS-ossec-server=
REPORT-ossecserver = ossec-syslog-ossecserver
TRANSFORMS-host = ossec-syslog-hostoverride1,ossec-syslog-hostoverride2







On Wed, Apr 7, 2010 at 2:25 AM, Xavier Mertens  wrote:

> Damn! I found the problem. I had two data-inputs created to receive syslog
> messages from the OSSEC server!
> Removed one and it works perfectly now!
>
> BTW, I'm now investigating something else: All events collected by OSSEC
> are coming from 'localhost' (1 source).
> Is there a way to extract the original hostname/IP from the OSSEC message
> and force Splunk to use it as the event source? I would like to have 1
> source host per OSSEC agent.
>
> Do I need to investigate on OSSEC or Splunk side? Any input is welcome!
>
> /x
>
>
> On Wed, Apr 7, 2010 at 3:09 AM, Ray Nutting  wrote:
>
>> I would check your alerts.log file on your hids and make sure your agents
>> are reporting to the HIDS server.  only your ossec server should be
>> configured with syslog_output forwarding to splunk.  would also recommend
>> the following sites for further reading.
>> http://securityisfutile.blogspot.com
>> or http://splunk.com (Splunkbase web site) and grab the *splunk for ossec
>> app*.  good luck!
>>
>>
>> On Mon, Apr 5, 2010 at 12:45 PM, Xavier Mertens wrote:
>>
>>> Hi *,
>>>
>>> I'm testing the integration of OSSEC with Splunk. I followed the
>>> configuration as describe in the Wiki. It works!
>>> Splunk runs on my OSSEC server. The problem I have at the moment: only
>>> events generated by the server are sent to Splunk.
>>> I don't see any trace of events generated by the remote agents.
>>>
>>> Did I miss something in the design? ALL agents must have the
>>> syslog_output enabled?
>>>
>>> /x
>>>
>>> --
>>> My server is com

Re: [ossec-list] Re: What happened to the Splunk App?

[Paul Southerington]

Also, make sure you're using the latest version of Splunk. 4.0.6 had a
couple of issues with some of the saved searches.


On Sun, Jan 3, 2010 at 9:46 AM, Dave S  wrote:

> Thanks all.  I'll give it a try.
>
> Although I find myself torn between the two systems.
> Splunk is a killer report-generating platform, but it can be quite
> demanding on clients and networks as it collects - excuse me "vacuums"
> - all of the raw data.
> On the other hand, one of the things I love dearly about OSSEC is how
> light-weight the agent is and how well it regulates data collection.
> Users would never notice it's there, which is important so they don't
> try to deactivate it like they do with anti-virus apps that get
> carried away.
>
> So here's hoping to get the best of both worlds.
>
> - Dave
>

Re: [ossec-list] Re: splunk ossec app

[Paul Southerington]

For those who asked about OSSEC integration with Splunk 4, there is an
initial download at:
http://www.southerington.com/redir.php?id=11

The app is still something of a work-in-progress, but feel free to play with
it. Feedback is welcome, but send it to me directly to avoid cluttering the
list, unless it's relevant to everyone.


To install, extract ossec.tgz into /opt/splunk/etc/apps (or your equivalent
directory).  Check the README and KNOWN_ISSUES files for more detail.

Ultimately, the download will most likely move to the Splunk community apps
page, but at the moment you'll need to use the link above.



On Tue, Nov 24, 2009 at 8:45 AM, Aaron Bliss  wrote:

> Version 4 of splunk for me as well.
>
> On Tue, Nov 24, 2009 at 12:07 AM, jaturley  wrote:
> > I am also looking for the OSSEC app for Splunk 4.  When it becomes
> > available where will I be able to download it from?  Thank you
> >
> > On Nov 23, 1:31 pm, Paul Southerington  wrote:
> >> Are you running Splunk version 3 or 4?
> >>
> >> The OSSEC app for Splunk 3 seems to have disappeared from Splunk's site.
> I'm
> >> working on a Splunk 4 app, which I hope to release within the week. If
> you
> >> would like me to send you an in-progress version, send me a note
> off-list --
> >> I'd love to get your feedback.
> >>
> >> On Mon, Nov 23, 2009 at 11:54 AM, Aaron Bliss 
> wrote:
> >> > Hi all.  I'm looking for the splunk ossec app.  The link below doesn't
> >> > seem to be working and browsing the splunk website, I can't seem to
> >> > find the ossec app.  Any ideas where the app is located?
> >>
> >> >http://www.splunkbase.com/apps/All/Security/app:Splunk+for+OSSEC#
> >
>

Re: [ossec-list] splunk ossec app

[Paul Southerington]

Are you running Splunk version 3 or 4?

The OSSEC app for Splunk 3 seems to have disappeared from Splunk's site. I'm
working on a Splunk 4 app, which I hope to release within the week. If you
would like me to send you an in-progress version, send me a note off-list --
I'd love to get your feedback.


On Mon, Nov 23, 2009 at 11:54 AM, Aaron Bliss  wrote:

> Hi all.  I'm looking for the splunk ossec app.  The link below doesn't
> seem to be working and browsing the splunk website, I can't seem to
> find the ossec app.  Any ideas where the app is located?
>
> http://www.splunkbase.com/apps/All/Security/app:Splunk+for+OSSEC#
>

[ossec-list] Re: OSSEC via Splunk

[Paul Southerington]

This might get you started (extract under /opt/splunk/etc/apps):
 http://www.southerington.com/projects/splunk/ossec/ossec.tgz

If you're using syslog, it looks like you won't get the categories
anyway.

Automatic event tagging is doable (see the tgz file), but I'm not sure
you can easily split the category list into individual tags. If you
want the whole category list as the tag, you can use an event type
template. If you want them individually, you can scan it into a field,
then split (search the splunk docs for 'multi-value fields').

Alternately you can scan the OSSEC rules file for  and
 tags with a script to find all possible values groups/
categories, then use that to generate your event types in events.conf
and add any tags manually.




On Nov 21, 1:43 pm, Dave Cushing <[EMAIL PROTECTED]>
wrote:
> I haven't gotten that far yet :)  I am very new to OSSEC (up and running 1 
> week) and am just beginning to work my way through the rules.  The output is 
> just syslogged over to splunk and I query it for strings like server names 
> etc.  Just meat and potatoes so far, no gravy :)
>
> -Original Message-
> From: ossec-list@googlegroups.com [mailto:[EMAIL PROTECTED] On Behalf Of 
> shadejinx
> Sent: Thursday, November 20, 2008 4:24 PM
> To: ossec-list; Dave Cushing
> Subject: [ossec-list] Re: OSSEC via Splunk
>
> How do you get Splunk to parse the "categories" like
> local,windows,authentication_failure, etc?  I wrote a report
> transform, but because there's no defined structure to these tags I
> can't quite get all the information I want.
>
> I'm looking for automatic event tagging using the OSSEC tags, but
> can't figure out how to do it.
>
> On Nov 20, 12:56 pm, Dave Cushing <[EMAIL PROTECTED]>
> wrote:
> > I use OSSEC and splunk and find the output quite readable.  The difference 
> > being is that I use the OSSEC server to send syslog to the splunk server 
> > rather than having it parse the files.  For the few servers that I have 
> > been testing OSSEC on (about 10), the output has been easy to parse for the 
> > events I have been looking for.
>
> > -Original Message-
> > From: ossec-list@googlegroups.com [mailto:[EMAIL PROTECTED] On Behalf Of 
> > shadejinx
> > Sent: Thursday, November 20, 2008 2:26 PM
> > To: ossec-list; Dave Cushing
> > Subject: [ossec-list] OSSEC via Splunk
>
> > So far, I have been unimpressed with the WUI and decided to use Splunk
> > as the interface to OSSEC.  If you don't know what Splunk is, head 
> > towww.splunk.comandcheck it out.  It's a fantastic product for
> > correlating log data, and there's a free  version that's perfect for
> > the volume of data output by OSSEC.
>
> > **Disclosure: I don't work for Splunk, but I would in a heartbeat.
>
> > So here's how it works...  OSSEC agents are installed on server,
> > reporting to the OSSEC Server.  Splunk uses the /var/ossec/log/
> > alerts.log file as in input and voila, your done well not quite...
>
> > The alert structure of OSSEC is not as machine readable as Splunk
> > would like, so there's some customization that has to take place in
> > order to get the best information out of it.  But when you do, you get
> > access to Splunk's extremely powerful parsing and statistics engine
> > that can generate excellent graphs and reports as well as provide a
> > very powerful Google-like search interface on all your OSSEC data.
>
> > So you might be asking: Why don't you just use Spunk to handle all
> > your log data?
>
> > Excellent question, and the answer is twofold.  One, Splunk is not an
> > automatic event correlator.  It can't do the "If you see this event 10
> > times in 20 minutes, followed by this event, throw this flag" thing
> > automatically.  (Even though "Transaction Types" is getting close,
> > it's still not quite good enough) It is, however, the best manual
> > event correlator though.  It's the tool I would turn to when I'm
> > researching the flag thrown by OSSEC in the above event.
>
> > And Two:  Money.  Splunk recently got expensive, so instead of having
> > Splunk handle all my immense amount of log data and pay tons of cash,
> > I downloaded the free version and it handles the output of OSSEC.  If
> > you have the cash, I *highly* recommend running both.
>
> > My question: Is there a way to get a more machine readable output to
> > feed something like Splunk or swatch?  Could this be a wishlist
> > feature?