Monday, February 2, 2009

OSSEC and Splunk

Here's how I configured OSSEC to send alerts to Splunk:

In ossec.conf add a syslog_output block specifying your Splunk system IP address and the port your network input is listening on:

<syslog_output>
<server>172.10.2.3</server>
<port>10002</port>
</syslog_output>


Now you need to enable the syslog_output module and restart OSSEC:

#/var/ossec/bin/ossec-control enable client-syslog
#/var/ossec/bin/ossec-control restart

On restart you'll see ossec-csyslogd starting up. Now for the Splunk side.


You have a few options on how to receive OSSEC alerts. The two options I've looked at are a standard Splunk network input or syslog-ng. I would suggest using syslog-ng and either the FIFO or file destination method. This way when you need to restart Splunk, which can be rather frequent, you won't lose events like you would with the Splunk network input. Here, for simplicity I'll just walk through the Splunk network input method.

The easiest method is by adding this stanza to inputs.conf:

$SPLUNK_HOME/etc/system/local/inputs.conf

[udp://172.10.2.4:10002] #IP address of OSSEC server
disabled = false
sourcetype = ossec

By setting the sourcetype as OSSEC you're ready to take advantage of the Splunk for OSSEC app which will be available at Splunkbase shortly (http://www.splunkbase.com/).

Make sure you update any local or network firewalls that this communication is traversing and then restart Splunk.

#$SPLUNK_HOME/bin/splunk restart

You can accomplish this using Splunk Web or Splunk CLI as documented here: http://www.splunk.com/base/Documentation/3.4.5/admin/NetworkPorts

If you have any tweaks or improvements to configuration or the Splunk for OSSEC app please let me know!