Sunday, September 16, 2012

OSSIM hands-on 6: Reading a log file with OSSEC agent

In this guided exercise we are going to configure OSSEC agent, installed on a Windows system, to read logs from a file. This can be useful when we try to grab data from an application that logs directly into a file.

For this purpose we have created a sample file in "C:\Users/Administrator/Desktop/test.txt" with the following first log line: "ourapplication: This is a test line".

1.- Configuring agent to read a file

a) Edit C:\Program Files (x86)\ossec-agent\ossec.conf
b) Add the following settings
<location>Path to the file</location> (be careful with slashes, format "C:\directory/file")
c) Restart ossec-agent service

2.- Test that the log line is sent to the server

a) Write the log line in the file and save
b) Check in OSSEC server the file archives.log (logall option need to be set to "yes" in ossec.conf first)

3.- Create a new decoder at OSSEC server to parse the incoming log lines

a) At the server edit /var/ossec/etc/local_decoder.xml (same as decoder.xml but this one is not overwritten when updating the system)
b) Create a new decoder to parse first part of the log message
<decoder name="ourapplication">
<prematch>^ourapplication: </prematch>
c) Restart ossec
d) Run /var/ossec/bin/ossec-logtest and paste the log line
e) Check if it recognizes the decoder

4.- Create a new rule at ossec server to parse lines pre-parsed by the decoder

a) At the server edit /var/ossec/rules/local_rules.xml
<group name="ourapplication">
<rule id="99990" level="0">
<description>ourapplication is enabled</description>
<rule id="99991" level="1">
<description>Brian string found</description>
b) Restart ossec
c) Run /var/ossec/bin/ossec-logtest and paste the log line (in our case "ourapplication: Brian says hello")
d) Check if it recognizes the rule

5.- Check that ossim-agent reads the alert.log file and the event is processed by OSSIM

a) Check /var/ossec/logs/alerts/alert.log
b) Check /var/log/ossim/agent.log
c) Check /var/log/ossim/server.log
d) Add 99991=7999 to the translation table of ossec.cfg (this is because that value is used for the plugin_id)
d) Insert new plugin_sid with value 99991 for ossec plugin:
INSERT IGNORE INTO plugin_sid(plugin_id, sid, category_id, class_id, reliability, priority, name) VALUES(7999, 99991, NULL, NULL, 1, 2, "ossec: our application_brian_rulematch");
e) Restart ossim-server
f) Generate new logs and look in the GUI for the results

6.- Optionally we can also enable file integrity checking

a) At the windows system edit ossec.conf file (C:\Program Files (x86)\ossec-agent\ossec.conf)
b) Under syscheck options change frequency to 30 seconds (how often the integrity check is going to run)
c) Include the log file we are monitoring
<directories check_all="yes">C:\Users/Administrator/Desktop/test.txt</directories>
d) Save and restart ossec-agent service
e) Check ossec-agent logs C:\Program Files (x86)\ossec-agent\ossec.log
f) Modify the file, delete it, create a new one with the same name
g) Check if new ossec alerts have been generated at ossec server
h) Check if there are new events related with this in the SIEM interface


  1. This comment has been removed by the author.

  2. excuse me as Introducir nueva plugin_sid con 99.991 valor para el plugin ossec:
    INSERT IGNORE EN plugin_sid (plugin_id, sid, category_id, id_clase, fiabilidad, prioridad, nombre) VALUES (7999, 99991, null, null, 1, 2, "ossec: nuestra application_brian_rulematch");

    You can explain it in a more detailed way please