As you know I’m a fan of Trend Micros free HIDS (Host Intrusion Detection System) OSSEC, and that after flirting with Splunk briefly we are now using Graylog for centralised logging.
The question. can we pull our OSSEC logs into Graylog? Course we can.
In previous versions of Graylog you need to install the CEF plugin, but as we are running the latest version, the CEF input plugin is included with the install.
So first let’s login to Graylog, and select inputs
Then from the drop down menu select “CEF UDP” then click “Launch new input”
Select your node from the drop-down menu and complete the other settings as shown. (Unless you already have something running on port 5555! In which case use a different port)
Save then start the input and check that it is running.
If you are running a firewall on the graylog server you will still need to open the port on the host firewall. If you are using ufw the command will be
sudo ufw allow 5555/udp
That’s it for the Graylog server, now over to our OSSEC master Server.
Basically all we need to do is configure OSSEC to forward a copy of it’s alerts to Graylog on the port we chose earlier.
First we cd to the correct location. (This is the default location)
cd /var/ossec/etc/
This directory contains the file we need so use nano to open it.
sudo nano ossec.conf
Then inside the following tags <ossec_config></ossec_config>
You insert the following new section (put the IP address of the Graylog server where it says “putyouriphere” although if you have DNS configured you can use its FQDN)
<syslog_output>
<server>putyouriphere</server>
<port>5555</port>
<format>cef</format>
</syslog_output>
Then we need to enable the OSSEC syslog subsystem which is not running by default.
First we need to move to the bin directory of the OSSEC install
cd /var/ossec/bin/
The execute the following command
./ossec-control enable client-syslog
Then restart OSSEC.
./ossec-control restart
If all is working you should see “csyslogd” start with the other processes
Started........ ....... Started ossec-csyslogd........ ....... ........
You can also check in
/var/ossec/logs/ossec.log
by running the following
tail -n 1000 /var/ossec/logs/ossec.log | grep csyslogd
and you should be able to see an INFO entry which shows a “Forwarding alerts” message.
If you have a firewall running and have not opened the port you may need an error.
In our case we are using ufw so would run the following.
sudo ufw allow 5555/udp
That’s it. Don’t forget depending on how you have OSSEC set up, you may not have any messages immediately. If you know what alerts you have configured then trigger one of them and then check Graylog.