dsvetlov / lightsiem Goto Github PK

Hi Folk,
I'm asking about what lightSIEM need (OS version, kernel version, applications, libs ..) . Is it work fine with CentOs 6.7, kernel version: 2.6.32-573.12.1.el6.x86_64 ?

Thanks

For ease of configuration will be good to parse BSD-style syslog (default for rsyslog) too.

When administrator change device configuration log record issued on device. It will be nice to display that kind of events on separate dashboard for tracking changes.

It seems, that alert level filed (Alert.Analyzer.Level.Normalized) is missed in snort logs. Anyway ALERT PER LEVEL block in kibana dashboards show only one big number for "Missed field" logs.

Snort alert full format can contain more detailed information about attack. It will be very useful to support it.. may be with logstash or logstash-forwarder on snort host.

Cisco ASA is great hardware firewalls. It'll be nice to see logs from ASA in kibana dashboards near snort.

Logstash have mail output.

I think it can be used for mailing about events or it combinations (correlation).

Events with alert level not display in EVENTS OVER TIME. because of query for that events not selected in timeline properties.

For lumberjack inputs properly working, we need to generate ssl cetificate for logstash in playbook.

Cisco router also have some firewall capabilities like Reflexive ACL. It will be good to parse it too.

Logstash can't parse strings from snort like this

<29>1 2015-03-30T23:33:24.619485+03:00 hw1 snort 31879 - - S5: Session exceeded configured max bytes to queue 1048576 using 1049536 bytes (client queue). 1.1.1.1 40830 --> 9.3.4.3 80 (0) : LWstate 0x1 LWFlags 0x402003

Where can I see configs of the services and utilities used?
I want to set up Lightsiem without Ansible.

Here article how to connect ossec to elasticsearch via ZeroMQ.
https://www.mehmetince.net/cyber-threat-monitoring-system-with-ossec-zeromq-logstash-elasticsearch-and-kibana/#!prettyPhoto

It may be used as alternative method for delivering OSSEC alerts in elasticsearch.

Now users can access dashboards only typing it's URL in browser. It's possible to load dashboard to elasticsearch, so it will be available in Kibana standard menu.

All field name nested in Alert.Source.Node.Geoip occupy two lines. Maybe will be better to rename to smoller string.

It's good to display events from perimeter IDS/IPS (like Snort) and firewalls(like Cisco ASA or Cisco router).

Seems that since our recent updates the fim.json dashboard is not displaying the file paths correctly from hybrid servers, the data appears to be there in the message field, but no "Alert.Target.File.Path field" is present.

This occurs if I change a file on a remote host via hybrid server or on a directly attached ossec agent.

I sometimes see issues with syslog message size errors (I couldn't find one to demonstrate, but I'll keep looking), if we eliminated syslog from the equation completely would this resolve this issue? Could there be other benefits of using json direct into ELK?

I found this : http://notes.is9.co/2015/02/18/ossec-json-elk/

I'm not sure how much it would help the project, just thought it was worth suggesting?

I am struggling to get the source IP to parse from the message, My aim of this is to then geo-locate the IP on a map so you can easily see to a view where traffic is originating from.

I have already enabled geo-location in OSSEC as per - http://blog.rootshell.be/2012/06/05/attackers-geolocation-in-ossec/ and the alerts.log now has a Src IP and Src Location in the alert messages.

I have previously got this working using the OSSEC + ELK VM provided by OSSEC, but can't get it working with LightSIEM... :(

FYI - I added this to logstash.conf on my OSSEC provided VM:

geoip {
  source => "Src_IP"
  target => "geoip"
  add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
  add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}"  ]
}

Thanks,

Craig

Alerts of Rule: 533 (level 7) -> 'Listened ports status (netstat) changed (new port opened or closed).' not pars correctly.

It is very useful for filtering events, if events 713050, 713259 will contain parsed peer IP.

When i start "ansible-playbook lightsiem-master/lightsiem-install.yml"
I have a next report:

PLAY [Install and configure Elasticsearch, Logstash, Kibana] ******************

TASK: [elk | Install packages] ************************************************
ok: [localhost] => (item=java,http://download.elastic.co/logstash/logstash/packages/centos/logstash-1.5.0-1.noarch.rpm,https://download.elasticsearch.org/elasticsearch/elasticsearch/elasticsearch-1.4.4.noarch.rpm,epel-release,nodejs,unzip,npm)

TASK: [elk | Open port in firewalld for Logstash OSSEC input] *****************
failed: [localhost] => {"failed": true, "parsed": false}
BECOME-SUCCESS-rmnhowxxyowmvaqgqhmfzdynjkowobjn
failed=True msg='firewalld required for this module'

FATAL: all hosts have already failed -- aborting

PLAY RECAP ********************************************************************
to retry, use: --limit @/root/lightsiem-install.retry

localhost : ok=1 changed=0 unreachable=0 failed=1

What does it meen? And how can i fix it?

OSSEC not sending results of integrity checks via syslog, Maybe it will be better to install one instance of Logstash with apropriate multyline patterns on OSSEC server or use logstash-forwarder.

Instead of Alert.Analyzer.Analyzer.Node.Name, which can be confusing to read at a glance, would it be suitable to highlight that this is a log which has arrived via hybrid box e.g. Alert.Analyzer.Hybrid.Node.Name?

And repeat for the other patterns...

Fresh installation of logstash brings patterns and templates to new places. We need to update playbook to reflect these changes.

Alerts of Rule: 596 (level 5) -> 'Registry Integrity Checksum Changed Again (3rd time)' not parse correctly.