Friday, May 27, 2016

Reading a custom log file from OSSIM

Let write OSSIM plugin read hello log (which is my custom log file for this post). For this post I will call my plugin as ‘hello’ and it read log file called ‘hello. log’.

Creating the plugin configuration file – hello.cfg

CFG file contains fields called 'DEFAULT', 'config', translation and rules

Plugins can be found in below location. we have to move to that directory.  There you can see all the ossim plugins

/etc/ossim/agent/plugins

In Default section, we have to add the plugin_id field (Range is 9001 to 10000)
plugin_id=9002

Destination ip and port if it is there, But for us no
dst_ip=\_CFG(plugin-defaults,sensor)
dst_port=22

In config section, we have to add type of the plugin and the location for to read log files (I will have mail server logs for to read as named hello log)
(/var/log/custom.log)

Create new translation table for hello log.

Adding custom log file

Make sure you have added the custom log that you need to read.

Adding log file to /var/log/hello.log

 

Create DB for hello plugin

In here we have to consider our translation in cfg

check 'plugin' table is there any plugin with plug_id = 9002 (which here we are using). Do the same for 'plugin_sid' table.

Then insert below data to the tables

INSERT INTO plugin (id,type,name,description) VALUES (9002,1,'hello','Hello log reader');

Add translation  cfg to table as below

INSERT INTO plugin_sid (plugin_id,sid,category_id,class_id,name,priority,reliability) VALUES (9002,1,NULL,NULL,'hello:HELO',3,2);

Tip

Finding ossim MYSQL user name and pass word from grep if you do not the grep.

grep ^pass= /etc/ossim/ossim_setup.conf
grep ^user= /etc/ossim/ossim_setup.conf

 

Before testing you have to enable the plugin that we create now.  Please referee by last post on ossim.

Make sure you have restart the OSSIM

 

Testing the hello plugin

Check is our log file is reading by ossim

lsof +d /var/log/ | grep hello.log

image

Let check is our data source plug in menu

image

Let check our new event from hello is reading in web UI.

analysis -> security events (SIEM)

Here is our 'Hello' data source pick it.

image

Let check our log in hello in UI

image

Here are them.

Now add new log record to log file from terminal as below.

sed -i '$ a\2016-05-27 09:10:16 220.247.242.83 36A42160 SMTPSVC1 MEE-PDC 192.168.1.23 0 MAIL - +FROM:+<madhuka@test.com> 230 0 45 65 0 SMTP - - - -' hello.log

Then tail it and see that record is there. Then check on web UI

Here it is!!

image

2 comments:

  1. UdongeJuly 17, 2019 at 10:21 PM

    This comment has been removed by the author.

    ReplyDelete
  2. UdongeJuly 17, 2019 at 10:21 PM

    hello. i wonder your plugin file 'hello.cfg'(more details). please show to me.

    ReplyDelete