2

I've installed an OSSIM server and I wanto to retrieve the alerts generated by a remote Nagios server in order to analyze them and perform correlation of security events.

Before putting hands on it, I would like to know what the right approach is.

  • Do I need to configure Nagios so it forwards alerts to the OSSIM server? Is that possible?
  • Do I need to install an OSSEC agent on the machine where Nagios is running? If so, how do I have to configure OSSEC and Nagios?
  • Is there any other solution?

Thanks!

UPDATE:

It "almost" works, I can see that NAGIOS alerts are correctly forwarded through rsyslog, but OSSIM sees them as normal logs of syslog, so they are not treated with the NAGIOS plugin. Since I have to create an OSSIM rule in order to correlate NAGIOS alerts, I absolutely need to treat NAGIOS alerts with the NAGIOS plugin.

Here are a couple of possible solutions I came up with: Developing a kind of plugin in order to read syslog logs, extract those logs coming from the remote NAGIOS and send them to OSSIM. How complex is developing a plugin for OSSIM? Configuring OSSIM and replacing the "embedded" NAGIOS with the remote one. Is that possible? If so, how? Configuring OSSIM so it can use two NAGIOS, the local one and the remote one. Is that possible? If so, how? Pushing alerts of the remote NAGIOS to the local one, through the NSCA protocol. Would that work? Creating a distributed (DNX) NAGIOS system and configuring the local NAGIOS as master and the remote one as slave. Would that work? What do you guys think? Which one of these solutions will work? Do you guys have any better idea?

Thanks.

pAkY88
  • 201
  • 4
  • 10

1 Answers1

1

You can set up Nagios to log to syslog, and then configure it (e.g., rsyslog) to push events to OSSIM (which has rsyslog enabled to receive remote logs).

You might want to have OSSEC on the Nagios box anyway, but this is not necessary just to get events into OSSIM.

Keith
  • 4,627
  • 14
  • 25
  • Hi Keith, thank you for your answer. Actually I've already configured NAGIOS to send logs to syslog and thanks to rsyslog, those logs are forwarded to the rsyslog daemon running on the same machine of OSSIM. I'm sure that it works correctly since by looking at the syslog log file I can see the alerts generated by NAGIOS. Unfortunately, I can't see the alerts in the OSSIM web interface. Why? What am I missing? Is there any additional configuration step to do? Thanks – pAkY88 Aug 09 '13 at 08:30