Open Source Security (OSSEC) is a Host-Based Intrusion Detection System (HIDS) that enables efficient collection, analysis, and correlation of events across your entire infrastructure. It can be deployed on various endpoints, from network devices (e.g., routers, switches) to individual systems (e.g., servers, desktops, laptops).
Understanding the System Logging Protocol (Syslog)
Syslog is a protocol used to collect, package, and transmit log data from a client to a server—typically a Syslog Server. During consultations with customers, we often encounter users unaware that OSSEC can function as both a Syslog client and server.
This guide explains when to leverage this capability and how to extend your OSSEC deployment to maximize its potential.
Efficient Data Handling in Busy Networks
Using OSSEC as a Syslog client enables you to optimize data management across different networks while still harnessing OSSEC’s capabilities.
Example Scenario: Imagine you have two distinct networks, Zone 1 and Zone 2. Zone 1 is busy, handling over 10 million requests daily, likely from web servers, databases, and load balancers. In contrast, Zone 2 is quieter, comprising desktop/notebook clusters with just a few hundred requests daily.
Your goal is to centralize data collection for analysis. While a single Agent/Server setup could suffice, an alternative approach is to deploy two separate Agent/Server configurations, where one Manager reports to a Master.
Benefits of this configuration include:
- Easier management of agents, allowing for device grouping.
- Pre-parsing data locally to reduce noise and only forward relevant logs to the Master.
- Centralized control across multiple networks.
In the example, Zone 1 could have its own Manager to collect, analyze, and correlate data independently of Zone 2. The Manager in Zone 1 would then forward processed data to the Master, ensuring efficient and accurate data handling.
Configuring OSSEC as a Syslog Client and Manager
Syslog Client Configuration
Any OSSEC deployment (Agent, Manager, or Hybrid) can act as a Syslog client, but only the Manager can function as a Syslog server. This distinction is crucial.
To convert an OSSEC installation into a Syslog client:
1 – Enable the Syslog client:
/var/ossec/bin/ossec-control enable client-syslog2 – Update the OSSEC configuration file to specify the Syslog server:
vim /var/ossec/etc/ossec.conf3 – Add the following configuration:
<syslog_output>
<level>6</level>
<server>[public IP of manager]</server>
<port>1515</port>
</syslog_output>Explanation of Attributes:
- Level: Determines which alert levels are sent (e.g., level 6 or higher).
- Server: Public IP address of the Master.
- Port: Port to send data to (default for OSSEC is 1515).
This setup leverages OSSEC’s intelligence to filter alerts before forwarding them, reducing unnecessary network traffic.
4 – Restart OSSEC to apply changes:
/var/ossec/bin/ossec-control restart5 – Verify data transmission using tcpdump:
tcpdump -i eth0 -nnn -s 0 -A udp port 1515Syslog Server Configuration (OSSEC Manager)
To configure the Master OSSEC Manager to receive Syslog data:
1 – Edit the OSSEC configuration file:
vim /var/ossec/etc/ossec.conf2 – Add a remote entry:
<remote>
<connection>syslog</connection>
<port>1515</port>
<allowed-ips>[public IP of syslog client]</allowed-ips>
</remote>Explanation of Attributes:
- Connection: Specifies that the Manager expects Syslog data.
- Port: Port to listen on (default is 1515).
- Allowed-ips: List of IP addresses allowed to send data.
3 – Verify functionality by checking the logs
cat /var/ossec/logs/ossec.log | grep syslogExample output
2020/05/18 20:59:24 ossec-remoted: Remote syslog allowed from: ‘[public IP of syslog client]‘
2020/05/18 20:59:30 ossec-logcollector(1950): INFO: Analyzing file: ‘/var/log/syslog‘4 – Confirm connections using the agent control tool
/var/ossec/bin/agent_control -lcOutput example
List of syslog-based sources: ID: na, Name: [hostname]->[public IP], IP: [public IP], Syslog-based ActiveOSSEC is a robust, open-source solution for collecting, aggregating, and analyzing event data. While it may not excel in aesthetics, its affordability, functionality, and low resource footprint make it a powerful tool for organizations aiming to enhance their security posture.