When I started researching some of the applications found on http://splunkbase.com I was happy to see that Paul Southerington had recently posted/developed an app on the web site to support advanced parsing logic, saved searches, and dashboards for monitoring OSSEC alerts in Splunk. Now I use the add-on "Splunk for OSSEC" app to managed my OSSEC security alerts. And the best part...its FREE (one of my favorite words)! So yes folks, as Apple would say....theres an app for that!
How to set it up
The "Splunk for OSSEC" app was developed as an "add-on", such that you could install/extract the contents of the app ("ossec" directory) into the $SPLUNK_HOME/etc/apps directory so you could use the views/searches/reports globally within Splunk. However, I will walk through the process of setting this new app up under a new Splunk App, with private or restricted views (may require additional configuration changes to ensure the features of this app are isolated from all other Splunk apps you may have on your server).
(Follow at your own RISK!!!)
- Requires OSSEC HIDS/Agent already setup/configured
- Requires working Splunk v4.0.XX server (recomend 4.0.7+)
- Requires OSSEC syslog forwarding configured and talking to Splunk (see my sprevious blog postings for more details on how to set this up)
- Enable data input specified in "Splunk for OSSEC" app "inputs.conf" (udp:10002 sourcetype:ossec)
- Download Splunk for OSSEC from splunk base website: http://www.splunkbase.com/apps/All/4.x/App/app:Splunk+for+OSSEC+%28Splunk+v4+version%29..must have a valid Splunk users account on splunk website
- Log into splunk
- Go to Manager > Apps
- Click on Create app...
- Enter in a name for the new app (example: OSSEC)
- Enter in a Label (optional) will display in top left of page as "splunk>(your label)" and is used to identify your new splunk app(Example: OSSEC Alert Manager)
- Enter in Author (option)
- Click "Yes" radio button to make app visible
- Enter in a Description (example: UI for monitoring OSSEC alerts)
- Select "barebones" as a Template
- Click --> Save
- Now open up a terminal shell window on the Splunk server
- Extract the "ossec.tgz" compressed archive in the Splunk apps directory, as root
- Command: # tar zxf ossec.tgz -C $HOME; cp -rf $HOME/ossec/* $SPLUNK_HOME/etc/apps/
Name of Splunk App
- Restart Splunk!
- Generate some OSSEC alert data, either from one of your OSSEC agents or the OSSEC server itself
- Now go back over to your Splunk Web UI in your browser
- From the Launcher panel, or from the "App" drop down list(on top right hand side of page) find the Label name you gave your new app and click the name (example: OSSEC Alert Manager)
- Click on "Views", "Searches & Reports" and "Dashboards" to see the new add-on features for your new app
- Check out the splunkbase page for this new app for additional details and configuration options, like monitoring the status of your agents in a dashboard window...pretty neat!!
Fixing Known IssuesQuestion: Why don't the new searches for this app work?
Answer: For some reason, at least if you are using Splunk v4.0.6, the saved searches for the "Splunk for OSSEC" app did not work for my install. Here is what I did to get them to work properly:
* Note: (You may have to do this for each search you have....it can be a pain!)
- In Splunk, go to Manager --> Searches and reports
- Click on the search (example: OSSEC Rebuild OSSEC Server Lookup Table) that is not working
- Copy the search string (note the search name...you will need it for one of the steps below)
- Delete/Disable the search
- Go to your new apps search window (the app hosting "Splunk for OSSEC") by clicking on "Search" from the menu/header
- Paste the search string you copied in step 3 above
- Click on "All time" as your date range to search for
- If the search returned successful, save the search using the original name for that search (noted in step 3 above)
- assign the description, label name, time range and permissions appropriate for your setup
- Now try to access the stored search from within "Searches & Reports"
- Your search should work correctly now! You should ensure that the OSSEC - Rebuild OSSEC Server Lookup Table search is working correctly, other wise some of the views, searches and OSSEC dashboard features will not function correctly if the ".csv" file has not been populated with your OSSEC HIDS server host names.