dsvetlov / lightsiem Goto Github PK
View Code? Open in Web Editor NEWLightweight and sexy Security Information and Event Managment system for OSSEC, Snort and other IDS/IPS
Lightweight and sexy Security Information and Event Managment system for OSSEC, Snort and other IDS/IPS
Hi Folk,
I'm asking about what lightSIEM need (OS version, kernel version, applications, libs ..) . Is it work fine with CentOs 6.7, kernel version: 2.6.32-573.12.1.el6.x86_64 ?
Thanks
For ease of configuration will be good to parse BSD-style syslog (default for rsyslog) too.
When administrator change device configuration log record issued on device. It will be nice to display that kind of events on separate dashboard for tracking changes.
It seems, that alert level filed (Alert.Analyzer.Level.Normalized) is missed in snort logs. Anyway ALERT PER LEVEL block in kibana dashboards show only one big number for "Missed field" logs.
Snort alert full format can contain more detailed information about attack. It will be very useful to support it.. may be with logstash or logstash-forwarder on snort host.
Cisco ASA is great hardware firewalls. It'll be nice to see logs from ASA in kibana dashboards near snort.
Logstash have mail output.
I think it can be used for mailing about events or it combinations (correlation).
Events with alert level not display in EVENTS OVER TIME. because of query for that events not selected in timeline properties.
For lumberjack inputs properly working, we need to generate ssl cetificate for logstash in playbook.
Cisco router also have some firewall capabilities like Reflexive ACL. It will be good to parse it too.
Logstash can't parse strings from snort like this
<29>1 2015-03-30T23:33:24.619485+03:00 hw1 snort 31879 - - S5: Session exceeded configured max bytes to queue 1048576 using 1049536 bytes (client queue). 1.1.1.1 40830 --> 9.3.4.3 80 (0) : LWstate 0x1 LWFlags 0x402003
Where can I see configs of the services and utilities used?
I want to set up Lightsiem without Ansible.
Here article how to connect ossec to elasticsearch via ZeroMQ.
https://www.mehmetince.net/cyber-threat-monitoring-system-with-ossec-zeromq-logstash-elasticsearch-and-kibana/#!prettyPhoto
It may be used as alternative method for delivering OSSEC alerts in elasticsearch.
Now users can access dashboards only typing it's URL in browser. It's possible to load dashboard to elasticsearch, so it will be available in Kibana standard menu.
All field name nested in Alert.Source.Node.Geoip occupy two lines. Maybe will be better to rename to smoller string.
It's good to display events from perimeter IDS/IPS (like Snort) and firewalls(like Cisco ASA or Cisco router).
Seems that since our recent updates the fim.json dashboard is not displaying the file paths correctly from hybrid servers, the data appears to be there in the message field, but no "Alert.Target.File.Path field" is present.
This occurs if I change a file on a remote host via hybrid server or on a directly attached ossec agent.
I sometimes see issues with syslog message size errors (I couldn't find one to demonstrate, but I'll keep looking), if we eliminated syslog from the equation completely would this resolve this issue? Could there be other benefits of using json direct into ELK?
I found this : http://notes.is9.co/2015/02/18/ossec-json-elk/
I'm not sure how much it would help the project, just thought it was worth suggesting?
I am struggling to get the source IP to parse from the message, My aim of this is to then geo-locate the IP on a map so you can easily see to a view where traffic is originating from.
I have already enabled geo-location in OSSEC as per - http://blog.rootshell.be/2012/06/05/attackers-geolocation-in-ossec/ and the alerts.log now has a Src IP and Src Location in the alert messages.
I have previously got this working using the OSSEC + ELK VM provided by OSSEC, but can't get it working with LightSIEM... :(
FYI - I added this to logstash.conf on my OSSEC provided VM:
geoip {
source => "Src_IP"
target => "geoip"
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
}
Thanks,
Craig
Alerts of Rule: 533 (level 7) -> 'Listened ports status (netstat) changed (new port opened or closed).' not pars correctly.
It is very useful for filtering events, if events 713050, 713259 will contain parsed peer IP.
When i start "ansible-playbook lightsiem-master/lightsiem-install.yml"
I have a next report:
PLAY [Install and configure Elasticsearch, Logstash, Kibana] ******************
TASK: [elk | Install packages] ************************************************
ok: [localhost] => (item=java,http://download.elastic.co/logstash/logstash/packages/centos/logstash-1.5.0-1.noarch.rpm,https://download.elasticsearch.org/elasticsearch/elasticsearch/elasticsearch-1.4.4.noarch.rpm,epel-release,nodejs,unzip,npm)
TASK: [elk | Open port in firewalld for Logstash OSSEC input] *****************
failed: [localhost] => {"failed": true, "parsed": false}
BECOME-SUCCESS-rmnhowxxyowmvaqgqhmfzdynjkowobjn
failed=True msg='firewalld required for this module'
FATAL: all hosts have already failed -- aborting
PLAY RECAP ********************************************************************
to retry, use: --limit @/root/lightsiem-install.retry
localhost : ok=1 changed=0 unreachable=0 failed=1
What does it meen? And how can i fix it?
OSSEC not sending results of integrity checks via syslog, Maybe it will be better to install one instance of Logstash with apropriate multyline patterns on OSSEC server or use logstash-forwarder.
Instead of Alert.Analyzer.Analyzer.Node.Name, which can be confusing to read at a glance, would it be suitable to highlight that this is a log which has arrived via hybrid box e.g. Alert.Analyzer.Hybrid.Node.Name?
And repeat for the other patterns...
Fresh installation of logstash brings patterns and templates to new places. We need to update playbook to reflect these changes.
Alerts of Rule: 596 (level 5) -> 'Registry Integrity Checksum Changed Again (3rd time)' not parse correctly.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.