3

Quick n00b OSSIM question. I've looked around but haven't found exactly what I'm looking for. I currently have a Nagios, OSSEC, Nessus, and Snort server and I want to keep those servers active but just ship the logs to the OSSIM server and have it do the correlating and graphing. Can that be done? Everything I've seen is putting the various software functions actually on the OSSIM box but I don't want to do that. I'm running CentOS on all of the systems. Thanks.

chmeee
  • 7,270
  • 3
  • 29
  • 43

2 Answers2

3

Nagios, OSSEC, Snort, and Nessus can all log to syslog. Which you could then use to forward the logs to the OSSIM server. Should work fine once all the logs are arriving there.

Cian
  • 5,777
  • 1
  • 27
  • 40
  • I don't suppose you have ever done this and have a guide on how to. I am looking around now and have found a few things but before I started in was just going to make sure you didn't know a good guide. Thanks for your help. –  Aug 27 '09 at 14:26
  • Never set up OSSIM with it. I have set up some of the stuff to log through syslog-ng, and syslog-ng to forward their logs. Just used syslog-ng's docs at the time though. – Cian Aug 27 '09 at 15:04
2

Log Server

  1. vi /etc/sysconfig/syslog
    (enable remote connections by adding -r -x to the line SYSLOGD\_OPTIONS="-m 0" result after edits SYSLOGD_OPTIONS="-m 0 -r -x")
  2. Have port 514 UDP open on the logging server's firewall to the IP of the source with a vi /etc/sysconfig/iptables and add the line: -A INPUT -p udp -m udp --dport 514 -j ACCEPT

On the Client (ships the logs to the log server)

  1. vi /etc/syslog.conf
  2. add a line to the end of the file \*.* @IP\_OF\_LOG_SERVER

Verify with a tail -f /var/log/messages on the logging server during a boot or reboot of the client.

Scott Pack
  • 14,717
  • 10
  • 51
  • 83
ForgeMan
  • 391
  • 1
  • 8