Welcome to the SecurityisFutile blog

I welcome comments and suggestions, I take criticism very lightly (at least most of the time). My goal for this blog is to document various experiments and research projects I feel are both relevant and prominent in the field of computer security (or lack there of) and share my results and experiences with other fellow computer security enthusiests. Most of my topics are based soley on open source technology and methodology, mostly due to availability and cost. I believe that effective security measures help keep people honest with their technology, for the most part. Security is futile (usless) or at least it feels that way when an inspired opportunist comes around and exploits your weaknesses. With that being said I leave you with a quote of inspiration; There is no security on this earth, there is only opportunity.-- General Douglas MacArthur

Thursday, March 25, 2010

Splunk for OSSEC, theres an app for that!

Over the past couple of months I have invested a lot of time into researching and developing a suitable centralized security event management (SEM) solution for the enterprise, mostly powered by OSSEC and Splunk. Before today, I was using the default Splunk "Search" app with customized dash boards, reports and views as the front end UI to manage and monitor my OSSEC alerts. However, I still found myself wanting more features available to enrich my analytical capabilites when using Splunk to investigate my SEM data. So I turned to the Splunk community for answers.

When I started researching some of the applications found on http://splunkbase.com I was happy to see that Paul Southerington had recently posted/developed an app on the web site to support advanced parsing logic, saved searches, and dashboards for monitoring OSSEC alerts in Splunk. Now I use the add-on "Splunk for OSSEC" app to managed my OSSEC security alerts. And the best part...its FREE (one of my favorite words)! So yes folks, as Apple would say....theres an app for that!

How to set it up

The "Splunk for OSSEC" app was developed as an "add-on", such that you could install/extract the contents of the app ("ossec" directory) into the $SPLUNK_HOME/etc/apps directory so you could use the views/searches/reports globally within Splunk. However, I will walk through the process of setting this new app up under a new Splunk App, with private or restricted views (may require additional configuration changes to ensure the features of this app are isolated from all other Splunk apps you may have on your server).

(Follow at your own RISK!!!)

Requirements
  • Requires OSSEC HIDS/Agent already setup/configured
  • Requires working Splunk v4.0.XX server (recomend 4.0.7+)
  • Requires OSSEC syslog forwarding configured and talking to Splunk (see my sprevious blog postings for more details on how to set this up)
  • Enable data input specified in "Splunk for OSSEC" app "inputs.conf" (udp:10002 sourcetype:ossec)
Getting it working
  1. Download Splunk for OSSEC from splunk base website: http://www.splunkbase.com/apps/All/4.x/App/app:Splunk+for+OSSEC+%28Splunk+v4+version%29..must have a valid Splunk users account on splunk website
  2. Log into splunk
  3. Go to Manager > Apps
  4. Click on Create app...
  5. Enter in a name for the new app (example: OSSEC)
  6. Enter in a Label (optional) will display in top left of page as "splunk>(your label)" and is used to identify your new splunk app(Example: OSSEC Alert Manager)
  7. Enter in Author (option)
  8. Click "Yes" radio button to make app visible
  9. Enter in a Description (example: UI for monitoring OSSEC alerts)
  10. Select "barebones" as a Template
  11. Click --> Save
  12. Now open up a terminal shell window on the Splunk server
  13. Extract the "ossec.tgz" compressed archive in the Splunk apps directory, as root
  14. Command: # tar zxf ossec.tgz -C $HOME; cp -rf $HOME/ossec/* $SPLUNK_HOME/etc/apps/Name of Splunk App
  15. Restart Splunk!
  16. Generate some OSSEC alert data, either from one of your OSSEC agents or the OSSEC server itself
  17. Now go back over to your Splunk Web UI in your browser
  18. From the Launcher panel, or from the "App" drop down list(on top right hand side of page) find the Label name you gave your new app and click the name (example: OSSEC Alert Manager)
  19. Click on "Views", "Searches & Reports" and "Dashboards" to see the new add-on features for your new app
  20. Check out the splunkbase page for this new app for additional details and configuration options, like monitoring the status of your agents in a dashboard window...pretty neat!!
You may find that some of the features work and some don't. I am using Splunk v4.0.6 (even though this version is not recommended) and found that for the most part everything works. I am sure Paul Southerington put a good bit of TLC into this product and I give him a lot of credit for what he has done.
Fixing Known Issues
Question: Why don't the new searches for this app work?
Answer: For some reason, at least if you are using Splunk v4.0.6, the saved searches for the "Splunk for OSSEC" app did not work for my install. Here is what I did to get them to work properly:
* Note: (You may have to do this for each search you have....it can be a pain!)

  1. In Splunk, go to Manager --> Searches and reports
  2. Click on the search (example: OSSEC Rebuild OSSEC Server Lookup Table) that is not working
  3. Copy the search string (note the search name...you will need it for one of the steps below)
  4. Delete/Disable the search
  5. Go to your new apps search window (the app hosting "Splunk for OSSEC") by clicking on "Search" from the menu/header
  6. Paste the search string you copied in step 3 above
  7. Click on "All time" as your date range to search for
  8. If the search returned successful, save the search using the original name for that search (noted in step 3 above)
  9. assign the description, label name, time range and permissions appropriate for your setup
  10. Now try to access the stored search from within "Searches & Reports"
  11. Your search should work correctly now! You should ensure that the OSSEC - Rebuild OSSEC Server Lookup Table search is working correctly, other wise some of the views, searches and OSSEC dashboard features will not function correctly if the ".csv" file has not been populated with your OSSEC HIDS server host names.
Happy Spelunking!!!

6 comments:

  1. This is awesome - care to post on our community docs page? Link in the forums?

    Thanks!
    John Mark Walker
    Splunk Community Guy
    http://www.splunk.com/

    ReplyDelete
  2. John,

    Will do! Thanks for checking out my blog.

    ~Ray

    ReplyDelete
  3. Hi Ray - the hyperlink to the OSSEC app above points to a broken link... probably because the final end-parenthesis, which is part of the URL, is not included in your blog's hyperlink. Could you fix the link? Thanks!

    Justin Grant
    Splunkbase Guy
    http://splunkbase.com/

    ReplyDelete
  4. Justin,

    Fixed! Thanks for your help.

    ReplyDelete
  5. Do I need to setup syslog if OSSEC is installed on the same machine as Splunk?

    ReplyDelete
  6. Is your Splunk server configured as both your syslog server and your OSSEC HIDS, or are these functions split up across your architecture? If you are following the example in my blog, Syslog should be configured to audit what you need on your host, OSSEC should be configured to monitor and detect malicious activity in your log files and splunk should be configured to allow you to investigate your alerts.

    ReplyDelete