{"id":33,"date":"2014-09-23T18:34:33","date_gmt":"2014-09-23T16:34:33","guid":{"rendered":"http:\/\/www.underealm.com\/tech\/?p=33"},"modified":"2017-01-04T16:05:00","modified_gmt":"2017-01-04T15:05:00","slug":"ossec-splunk-installation","status":"publish","type":"post","link":"https:\/\/www.underealm.com\/tech\/2014\/09\/ossec-splunk-installation\/","title":{"rendered":"OSSEC Agent\/Server + Splunk installation"},"content":{"rendered":"

There is<\/a> a lot of<\/a> documentation<\/a> to be read about the installation of OSSEC, but it’s usually sparse and focused either on a local autonomous setup or on hundreds of VMs setups. In this article we will navigate through the necessary steps to set up a small OSSEC installation with the OSSEC agent running offsite on a web\/mail server and the OSSEC server running onsite. Additionally we will take a look at Splunk and install it on the OSSEC server machine, which will make it easier to manage bigger volumes of data later on.<\/p>\n

Prerequisites<\/h5>\n

In order to compile and install OSSEC you will need build-essential<\/strong> on Ubuntu machines and MySQL\/PostgreSQL<\/strong> for database support. You can read more details about this here<\/a>.<\/p>\n

Agent\/Server installation<\/h5>\n

Installing the agent and the server is as easy as running the script (after checksumming it) and answering a few questions, although you should keep (most of) the defaults since they’re solid, and then build up on them.<\/p>\n

# wget http:\/\/www.ossec.net\/files\/ossec-hids-.tar.gz\r\n# wget http:\/\/www.ossec.net\/files\/ossec-hids--checksum.txt\r\n# cat ossec-hids-_checksum.txt\r\nMD5 (ossec-hids-.tar.gz) = MD5SUM\r\nSHA1 (ossec-hids-.tar.gz) = SHA1SUM\r\nMD5 (ossec-agent-.exe) = MD5SUM_EXE\r\nSHA1 (ossec-agent-.exe) = SHA1SUM_EXE\r\n\r\n# md5sum ossec-hids-.tar.gz\r\nMD5 (ossec-hids-.tar.gz) = MD5SUM\r\n# sha1sum ossec-hids-.tar.gz\r\nSHA1 (ossec-hids-.tar.gz) = SHA1SUM\r\n\r\n# tar -zxvf ossec-hids-*.tar.gz\r\n# cd ossec-hids-*\r\n# .\/install.sh<\/code><\/pre>\n
Basic server\/agent configuration<\/h5>\n
After the server configuration, you will need to manage the agents. On the server you will use manage_agents<\/strong> command to insert a number of agents with their ids, names and ip addresses.<\/p>\n
****************************************\r\n* OSSEC HIDS v2.8 Agent manager.       *\r\n* The following options are available: *\r\n****************************************\r\n   (A)dd an agent (A).\r\n   (E)xtract key for an agent (E).\r\n   (L)ist already added agents (L).\r\n   (R)emove an agent (R).\r\n   (Q)uit.\r\nChoose your action: A,E,L,R or Q:<\/code><\/pre>\n
After adding the agents on the server, you need to extract the agent keys.<\/p>\n
Choose your action: A,E,L,R or Q: e\r\n\r\nAvailable agents:\r\n   ID: 001, Name: NAME, IP: IP\r\nProvide the ID of the agent to extract the key (or '\\q' to quit): 001\r\n\r\nAgent key information for '001' is:\r\nIMPORTANT_HASH<\/code><\/pre>\n
You now need to add the hash to the agent, through manage_client<\/strong>.<\/p>\n
****************************************\r\n* OSSEC HIDS v2.8 Agent manager.       *\r\n* The following options are available: *\r\n****************************************\r\n   (I)mport key from the server (I).\r\n   (Q)uit.\r\nChoose your action: I or Q: i\r\n\r\n* Provide the Key generated by the server.\r\n* The best approach is to cut and paste it.\r\n*** OBS: Do not include spaces or new lines.\r\n\r\nPaste it here (or '\\q' to quit): IMPORTANT_HASH\r\n\r\nAgent information:\r\n   ID:001\r\n   Name:NAME\r\n   IP Address:IP\r\n\r\nConfirm adding it?(y\/n): y\r\nAdded.<\/code><\/pre>\n
If you remembered to configure the firewall rules properly, allowing traffic on UDP 1514<\/strong>, you should now have them synced upon restart. If everything is working as expected you will find the ossec-agentd connection in the logs within \/var\/ossec\/logs\/ossec.log<\/strong>: ossec-agentd(4102): INFO: Connected to the server (hostname\/ipaddress:1514)<\/em>.<\/p>\n
Adding global agent configurations<\/h5>\n
One of the smart moves that extend the capability of OSSEC is the possibility to push configurations to the agents. Anyone who managed a botnet knows how powerful this can be, and OSSEC is no exception. Let’s suppose we’re behind a static IP, say, 1.2.3.4: by logging in through SSH, moving files through FTP and changing configuration files around we would generate a lot of white noise, but we can fix that by adding a simple agent configuration on our server side:<\/p>\n
\r\n  \r\n    1.2.3.4<\/white_list>\r\n  <\/global>\r\n<\/agent_config><\/code><\/pre>\n
Agent configuration: we need to go deeper<\/h5>\n
As explained in this article<\/a>, stopping to the defaults is no good practice. While all the base scenarios have been covered, specific needs have not. Using multi-user hosting or logging? You need to add these logs manually. Mail servers? These too. For some reasons you have verbose MySQL logging? This will need to be added too. That’s easily done by simply appending the specified logs and type to either the agent ossec.conf or the server agent.conf, whichever suits your needs best:<\/p>\n
  \r\n    syslog<\/log_format>\r\n    \/var\/log\/dovecot.log<\/location>\r\n  <\/localfile>\r\n\r\n  \r\n    apache<\/log_format>\r\n    \/var\/log\/domains-*.log<\/location>\r\n  <\/localfile><\/code><\/pre>\n
Tweaking the server for Splunk<\/h5>\n
At this point we have a working agent\/server configuration, but we want to push it a step further to make use of Splunk. Even though my setup has OSSEC and Splunk sharing the same machine I chose a syslog client configuration, and the reason is simple: through the use of syslog_output<\/a> I am able to increase the granularity by raising or lowering the alert level as I see fit, while also allowing me to add a separate OSSEC server elsewhere without the need to reconfigure Splunk. It’s a win-win. The changes are to be made inside ossec.conf:<\/p>\n
  \r\n    127.0.0.1<\/server>\r\n    PORT_NUMBER<\/port>\r\n  <\/syslog_output><\/code><\/pre>\n
You should put the syslog_output before the <rules> tag. This is all it takes to be ready for Splunk<\/p>\n
Where to start Splunking<\/h5>\n
Silly puns aside, we will need the Splunk software<\/a> and the Reporting and Management for OSSEC<\/a>. Given my setup I downloaded the deb package on the server, and the app tgz on my workstation. The installation is as easy as running a few commands:<\/p>\n
# dpkg -i splunk---.deb\r\n# \/opt\/splunk\/bin\/splunk enable boot-start -user splunk<\/code><\/pre>\n
On a Ubuntu server this will install the required files, and make it start on boot running as splunk<\/em> user. Before running it though, we need to make a change that will allow us to receive information from OSSEC. The following code can be added in the inputs.conf<\/strong> after the [default]<\/strong> section:<\/p>\n
[udp:\/\/127.0.0.1:PORT_NUMBER]\r\ndisabled = false\r\nsourcetype = ossec<\/code><\/pre>\n
This will start the UDP server, as per our mission. There are other modes available if you chose not to use the syslog_output method, but I will not go into that for now, I will just leave you the app documentation<\/a> as reference.<\/p>\n
At this point most of our work is done. Once the server is started (with service splunk start<\/strong> in my case) you can connect to it through its web interface, which should be up at http:\/\/ipaddress:8000\/<\/strong> and perfectly running. After the login you can navigate to App > Manage Apps\u2026<\/strong> and click Install app from file<\/strong>, selecting the app tgz we downloaded earlier. If everything has been done correctly data should be now flowing, and a simple sourcetype=”ossec”<\/strong> query should hold all the collected information.<\/p>\n
What to do with it, you ask? Well, that’s your job now \ud83d\ude42<\/p>\n","protected":false},"excerpt":{"rendered":"
There is a lot of documentation to be read about the installation of OSSEC, but it’s usually sparse and focused either on a local autonomous setup or on hundreds of VMs setups. In this article we will navigate through the necessary steps to set up a small OSSEC installation with the OSSEC agent running offsite […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[19,60,16,17,18,58],"class_list":["post-33","post","type-post","status-publish","format-standard","hentry","category-ossec","tag-installation-configuration","tag-ossec","tag-ossec-agent","tag-ossec-server","tag-splunk","tag-sysad"],"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/www.underealm.com\/tech\/wp-json\/wp\/v2\/posts\/33"}],"collection":[{"href":"https:\/\/www.underealm.com\/tech\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.underealm.com\/tech\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.underealm.com\/tech\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.underealm.com\/tech\/wp-json\/wp\/v2\/comments?post=33"}],"version-history":[{"count":5,"href":"https:\/\/www.underealm.com\/tech\/wp-json\/wp\/v2\/posts\/33\/revisions"}],"predecessor-version":[{"id":122,"href":"https:\/\/www.underealm.com\/tech\/wp-json\/wp\/v2\/posts\/33\/revisions\/122"}],"wp:attachment":[{"href":"https:\/\/www.underealm.com\/tech\/wp-json\/wp\/v2\/media?parent=33"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.underealm.com\/tech\/wp-json\/wp\/v2\/categories?post=33"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.underealm.com\/tech\/wp-json\/wp\/v2\/tags?post=33"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
Remember that you can use wildcards and strftime for the logs, but not together. Also there are a few pitfalls<\/a> in using wildcards you should be aware of.<\/p>\n
After a reset of the OSSEC processes the agent.conf will be pushed\/pulled, and the IP should be now successfully white-listed. This method also allows to set specific rules for sets of agents<\/a>, by specifying the names to which the configurations apply.<\/p>\n