Santi 'Log

This article tries to be a small how-to about OSSIM events collection using rsyslog. For example lets try to configure OSSIM to collect events from a Netscreen firewall.

OSSIM agent

1. First of all we need to active the plugin at /etc/ossim/agent/config.cfg adding a new line to our plugins list. This line could be like the following:
   netscreen=/etc/ossim/agent/plugins/netscreen-firewall.cfg
2. Then we will set the "location" variable at the config file of the plugin we want to use. In our case this file will be at /etc/ossim/agent/plugins/netscreen-firewall.cfg (other config files can be found here too). For example lets set it this way:
   location=/var/log/netscreen-firewall.log
3. Once finished other two steps don't forget to restart the ossim-agent daemon, so it will load the new configuration.
   /etc/init.d/ossim-agent restart

Rsyslog

Then it's time to go through rsyslogd configuration.

1. To enable logging from remote machines we have to edit /etc/default/syslogd and set SYSLOGD variable to "-r". This line should be enough:
   SYSLOGD="-r"
2. Then, to use rsyslog v3 native interface (I am not sure if this is needed, but just in case), we will need to set RSYSLOGD_OPTIONS variable to "-c3" at /etc/default/rsyslog file.
   RSYSLOGD_OPTIONS="-c3"
3. Now lets edit the /etc/rsyslog.conf file. For our example I will add this lines at the beginning of the logging rules. Be aware of the comments to know what does they do.
   # Line 1: Discard logs with "action=Permit" string
   # This is just tuning, as this kind of logs are useless for our security system (as they are accepted by the firewall policy)
   :msg, contains, "action=Permit" ~
   
   # Line 2: If coming from "netscreen_hostname" (at /etc/hosts) send logs to /var/log/netscreen-firewall.log
   # The symbol "-" means that it wont sync every log (faster)
   :fromhost, isequal, "netscreen_hostname" -/var/log/netscreen-firewall.log
   
   # Line 3: Then discard all logs coming from "netscreen_hostname" so they wont be written at system log files.
   :fromhost, isequal, "netscreen_hostname" ~
   
   #... standard logging rules should go right here ...
   

   If you need more help with rsyslog.conf possibilities you can find it at: http://www.rsyslog.com/doc-rsyslog_conf_filter.html



4. At last we just need to restart rsyslogd daemon
/etc/init.d/rsyslogd restart

At this point it should be listening at port 514 (the default one), you can check it with netstat command. So, once we configure our device to send logs to our OSSIM sensor, they should be collected and correlated.

As you can see this how-to is quite simple, but I hope it can help you with your configurations or help me to remember it if needed.

Regards.