Here's how I configured OSSEC to send alerts to Splunk:
In ossec.conf add a syslog_output block specifying your Splunk system IP address and the port your network input is listening on:
<syslog_output>
<server>172.10.2.3</server>
<port>10002</port>
</syslog_output>
Now you need to enable the syslog_output module and restart OSSEC:
#/var/ossec/bin/ossec-control enable client-syslog
#/var/ossec/bin/ossec-control restart
On restart you'll see ossec-csyslogd starting up. Now for the Splunk side.
You have a few options on how to receive OSSEC alerts. The two options I've looked at are a standard Splunk network input or syslog-ng. I would suggest using syslog-ng and either the FIFO or file destination method. This way when you need to restart Splunk, which can be rather frequent, you won't lose events like you would with the Splunk network input. Here, for simplicity I'll just walk through the Splunk network input method.
The easiest method is by adding this stanza to inputs.conf:
$SPLUNK_HOME/etc/system/local/inputs.conf
[udp://172.10.2.4:10002] #IP address of OSSEC server
disabled = false
sourcetype = ossec
By setting the sourcetype as OSSEC you're ready to take advantage of the Splunk for OSSEC app which will be available at Splunkbase shortly (http://www.splunkbase.com/).
Make sure you update any local or network firewalls that this communication is traversing and then restart Splunk.
#$SPLUNK_HOME/bin/splunk restart
You can accomplish this using Splunk Web or Splunk CLI as documented here: http://www.splunk.com/base/Documentation/3.4.5/admin/NetworkPorts
If you have any tweaks or improvements to configuration or the Splunk for OSSEC app please let me know!
Subscribe to:
Post Comments (Atom)
2 comments:
This blog explains the details about what happened after the expressions. This gives the details of the thinking next what to do.
Angularjs Training
Angularjs Online Training
I really enjoy your article. thank you
Python Hyderabad
Python Training in Coimbatore
Python Training in Chennai
Python Training in Training
Python Training in Bangalore
Post a Comment