This post explain the steps to enable both OSSEC and SSH plugins in OSSIM.
First we enable the plugins.
1. Update the ossim configuration variables at /etc/ossim/ossim_setup.conf
- Add ossec and ssh into the ‘detectors’
2. As config is updated and now we run ossim-reconfig by
- ossim-reconfig -c -v –d
2.1 In SSH and OSSEC plugin config can be found in ‘etc/ossim/agent/plugins/ssh.cfg’, component / plugin type and log location can found in the config as below
[config]
type=detector
enable=true
source=log
location=/var/log/auth.log
3. Then check the ossim-agent process is reading the log files
- lsof +d /var/ossec/logs/alerts/ | grep alerts.log
- lsof +d /var/log/ | grep auth.log
Let is test the plugin that we enabled.
Let is try to login with incorrect pass word and non existing user.
You can tail the log files and find the log record below
- tail -f /var/log/auth.log
- tail -f /var/ossec/logs/alerts/alerts.log
This alerts can be found in OSSIM GUI as well. (analysis --> security_events)
Make filter user name that we try for testing.
Event details can be found in as below
No comments:
Post a Comment