Friday, June 1, 2012


Besides the obvious must-have of OSSEC package you downloaded, what other things do I need to extend OSSEC capabilities?
  1. Graylog2 is an open source log management solution that stores your logs in elasticsearch and provides web-based GUI. It utilizes logstash.
  2. Splunk can receive OSSEC alerts via syslog. There is a free version which allows you to index up to 500 megabytes of data per day, and make the data ready for query and correlation. Splunk for OSSEC is an app which offers parsing logic, saved searches, and dashboards. Here is a blog for the installation of OSSEC & Splunk.
  3. ELSA ( Enterprise Log Search and Archive) is a centralized syslog framework built on Syslog-NG, MySQL, and Sphinx full-text search. It provides a fully asynchronous web-based query interface that normalizes logs and makes searching billions of them for arbitrary strings as easy as searching the web. 
  4. OSSIM (Open Source SIEM) provides event collection, normalization, correlation and incident response. There is an OSSIM Tutorial: OSSEC Quick Start Guide.
  5. ArcSight integration help can be found at this blog OSSEC Speaks ArcSight.
  6. AnaLogi  (Analytical Log Interface) was built to sit on top of OSSEC (since OSSEC 2.6) and requires 0 modifications to OSSEC or the database schema that ships with OSSEC. AnaLogi requires a Webserver sporting PHP and MySQL.  Remy van Elst blogged about a nice tutorial which covers the basic installation of OSSEC 2.8 server on Ubuntu 14.04, as well as OSSEC WebUI and Analogi dashboard. Nice job!
  7. To uninstall OSSEC, check out the blog by Remy van Elst here.

No comments:

Post a Comment