KHIKA supports OSSEC agent for monitoring servers (Windows, Linux, AIX, and Solaris). How to integrate KHIKA with OSSEC is mentioned in detail here. However this section is aimed at providing more information about OSSEC.
What is OSSEC?
OSSEC is a Host Based Intrusion detection system (HIDS). It is one of the most popular open source HIDS systems widely used and relied upon by security experts worldwide for many years. OSSEC uses an Agent-Server architecture where agents installed on end nodes to be monitored, collect logs/events of various types and relay it back to the server in a secure manner.
OSSEC offers four main features:
- File and Log monitoring: OSSEC agents can monitor files/logs and send all the log messages back to the server for analysis in a secure manner.
- File Integrity Checks: OSSEC agents perform periodic File Integrity checks on critical files and directories such as c:\windows\system32 on windows or /etc on Unix/Linux. Messages are sent back to the server when integrity checksums are modified / changed, during these periodic checks.
- Rootkit/Malware detection: The agents scan the systems for known malwares and messages are sent back to the server when Rootkits/Malwares are detected
- Scheduled Commands: OSSEC agent is capable of running scheduled commands on the node where it is installed. This mechanism helps in gathering critical information in periodic manner required for knowing server hardening posture and key metrics, such as CPU, memory, available disk etc
Why Khika integrates closely with OSSEC?
OSSEC readily provides a centralized and secured log collection mechanism. It also provides security alerting on the log data out-of-box, plus file integrity checks, rootkit detection etc. However, there is great need to store all the logs and alerts and make it searchable so that they are available when needed for forensic investigations or trouble shooting etc. Also, a lot of reporting, dashboarding and long term archival on the raw logs is required to meet the compliance requirements, such as PCI-DSS (or ISO 27001, HIPAA etc). Khika provides all these features out of the box and hence, integrating Khika with OSSEC makes a lot of sense.
Khika readily integrates with OSSEC by exploiting all the four OSSEC features explained above. One can achieve following things when Khika is integrated with OSSEC:
- The File and Log Monitoring feature of OSSEC can be used to collect the log data from several hundred servers at a central place, in a secure manner. A single Khika Adapter for OSSEC when pointed to the OSSEC server can easily consume all the incoming log data which is then available in Khika. All Khika features, such as searches, reporting, correlations and alerting etc can then be used on the collected log data. All the Khika Apps, such Khika for Active Directory, Khika for Windows, Khika for Unix Auditing, etc work readily on the data collected via OSSEC.
- Alert and correlation engine of KHIKA consumes the raw logs generated by OSSEC and creates meaningful, actionable alerts. The security reports and dashboards generated by Khika on raw OSSEC data provide valuable actionable intelligence to security experts and system administrators. Note that OSSEC Alerting is very basic and the raw events have to be processed by KHIKA’s Advanced Correlation and Alerting Engine.
This makes OSSEC + KHIKA a powerful Log Archival and SIEM system. It addresses many Compliance requirements such as critical sections PCI-DSS, many sections in SOX, HIPAA, ISO27001 etc.
Refer the next section for Installing OSSEC server in KHIKA