I've installed an OSSIM server and I wanto to retrieve the alerts generated by a remote Nagios server in order to analyze them and perform correlation of security events.
Before putting hands on it, I would like to know what the right approach is.
- Do I need to configure Nagios so it forwards alerts to the OSSIM server? Is that possible?
- Do I need to install an OSSEC agent on the machine where Nagios is running? If so, how do I have to configure OSSEC and Nagios?
- Is there any other solution?
Thanks!
UPDATE:
It "almost" works, I can see that NAGIOS alerts are correctly forwarded through rsyslog, but OSSIM sees them as normal logs of syslog, so they are not treated with the NAGIOS plugin. Since I have to create an OSSIM rule in order to correlate NAGIOS alerts, I absolutely need to treat NAGIOS alerts with the NAGIOS plugin.
Here are a couple of possible solutions I came up with: Developing a kind of plugin in order to read syslog logs, extract those logs coming from the remote NAGIOS and send them to OSSIM. How complex is developing a plugin for OSSIM? Configuring OSSIM and replacing the "embedded" NAGIOS with the remote one. Is that possible? If so, how? Configuring OSSIM so it can use two NAGIOS, the local one and the remote one. Is that possible? If so, how? Pushing alerts of the remote NAGIOS to the local one, through the NSCA protocol. Would that work? Creating a distributed (DNX) NAGIOS system and configuring the local NAGIOS as master and the remote one as slave. Would that work? What do you guys think? Which one of these solutions will work? Do you guys have any better idea?
Thanks.
