Difference between revisions of "Monitoring a local file using OSSEC Integration"

From khika
Jump to navigation Jump to search
(Install an OSSEC Agent on the end node.)
(Configure the OSSEC Agent to monitor the local file)
Line 6: Line 6:
  
 
===  Configure the OSSEC Agent to monitor the local file ===
 
===  Configure the OSSEC Agent to monitor the local file ===
 +
Once the OSSEC agent is installed, you need to locate the file you want to monitor. In this example, we will monitor apache access logs created in the directory /path/of/apache/access/log and name of the file is access.log
 +
 +
# Login to OSSEC Agent node and open file ossec.conf. On Windows this file is located in C:\Program Files (x86)\ossec-agent directory . On Linux, you will find it at /vat/ossec/ossec-agent/etc directory. (if you have installed the agent in the default location)
 +
# Locate  section <localfile>. Note that ossec uses XLS formatting and hence you have to be careful enough not to disturb the other tag. Naviate just above "Rootcheck - Policy monitor config" tag and insert following section
 +
  <localfile>
 +
    <location>/path/of/apache/access/log/access.log</location>
 +
    <log_format>syslog</log_format>
 +
  </localfile>
 +
 
===  Parse the file using extensible KHIKA Adapter for OSSEC ===
 
===  Parse the file using extensible KHIKA Adapter for OSSEC ===
 
===  Set any enrichment rules (if any) ===
 
===  Set any enrichment rules (if any) ===

Revision as of 11:08, 3 June 2019

In addition to event logs or syslogs, a lot of local files are created by various applications. These files reside on the hosts/servers where applications run and contain wealth of information, valuable for both security and operational intelligence. The application logs are useful for debugging or capturing run time errors/exception or even business opportunities in production production environments. It is imperative to monitor local files for gaining actionable insights, real time alerting, correlations and forensic debugging.

KHIKA integrates closely with OSSEC to monitor application logs in real time. This section explains how to use OSSEC to monitor the application logs. We begin with broad level steps and then dive deep into each step so that we explain the methodology and the intricate details associated with it. At a broad level you perform following steps

Install an OSSEC Agent on the end node.

Please refer the appropriate section sections on Linux or Windows for installing the OSSEC Agent.

Configure the OSSEC Agent to monitor the local file

Once the OSSEC agent is installed, you need to locate the file you want to monitor. In this example, we will monitor apache access logs created in the directory /path/of/apache/access/log and name of the file is access.log

  1. Login to OSSEC Agent node and open file ossec.conf. On Windows this file is located in C:\Program Files (x86)\ossec-agent directory . On Linux, you will find it at /vat/ossec/ossec-agent/etc directory. (if you have installed the agent in the default location)
  2. Locate section <localfile>. Note that ossec uses XLS formatting and hence you have to be careful enough not to disturb the other tag. Naviate just above "Rootcheck - Policy monitor config" tag and insert following section
 <localfile>
   <location>/path/of/apache/access/log/access.log</location>
   <log_format>syslog</log_format>
 </localfile>

Parse the file using extensible KHIKA Adapter for OSSEC

Set any enrichment rules (if any)

Set the index in Elastic Search

Define alerts and dashboards

Define alerts and correlations