OSSEC as a SIEM

Question

I am working on a log aggregation project and wanted to add some minor correlations/security intelligence to the mix.

Currently I have logs from ~400 servers coming into a syslog-ng box. I was looking into a few programs such as SEC (Simple Event Correlator), OSSEC, etc. to do this. For SEC, I could easily have the process tail the file(s) I am writing to and have it trip alerts off of it.

However I would have to build in a lot of custom rules and there wouldn't be a pretty GUI as there is with OSSEC.

So I was thinking of using OSSEC as a local install and instead of having it handle all of the agents, just have it tail the log file(s) and trip alerts.

My main fear is since I'm not using OSSEC's agent portion of it, it looks like the only agent is localhost and is therefore going to combine a lot of the traffic we see into 1 big alert. If I get login failures from server1 and server2, it will treat this as the same source and correlate it a lot faster than it would if it treated them as separate servers.

Is there any logic I can put into OSSEC to make this local/non agent config work with multiple server logs coming in, or would you recommend even trying?

Answer 1

Though I have some thoughts on this that I will type up later, you might also consider posting to the OSSEC mailing list, here, or possilby migrating this question to the IT Security SE site, here.

Answer 2

Some very quick ideas ....

1) Logs from different servers are directed to different folders / files {Thus you limit your correlation to file level}

2) Put all the logs together, and attach to every logline the server name. then using regex you filter out the server and you use it as correlation field

In addition, what's you daily traffic ? Maybe you could have a look at either Splunk or Prelude ( https://www.prelude-ids.org/projects/prelude )