• Support
  • Forums
  • Blogs

CEF Events to OSSIM

karlalfaro11karlalfaro11

New Life Form
Dear All,

I am newbie with OSSIM and I was wondering if it supports CEF(common event format) events,
We have some devices that sends its logs through syslog/CEF, can OSSIM parse these events?

If not possible, is there a way to process these events? (custom 'plugins' perhaps?)

In the other hand, which is the standard way to integrate new devices with OSSIM? (as I said, I'm new with this SIEM)

Thanks in advance,

Best regards,

Karl.

Share post:

Answers

  • @karlalfaro11

    Yes Alienvault support syslog format. You need to forward it to log collection interface of Alienvault.
    You can create custom plugin if you are good at python regular expressions and sql.
    There is two way in which you can add a device to OSSIM. First option is by CLI and second  option is by accessing the webui.
    If you are trying to add a device which, Alienvault has a built in plugin in it, then its very easy.
    Connect the device forward the logs to Alienvault and simply enable the plugin.
    If its a switch, and you would like to add span traffic then simply connect the interface to Network Monitoring interface of Alienvault.
    J4vv4D
  • Hello! Help me please. Give examples of events of the Kaspersky antivirus in the CEF format for the following event groups (one for each group):

     1) KLSRV_EVENT_HOSTS_NEW_DETECTED
    KLSRV_HOST_OUT_CONTROL
    KLSRV_INVISIBLE_HOSTS_REMOVED
    KLSRV_HOST_MOVED_WITH_RULE_EX
    KLSRV_HOST_STATUS_WARNING
    KLSRV_HOST_STATUS_CRITICAL

    2) KLSRV_EV_LICENSE_CHECK_90
    KLNAG_EV_DEVICE_ARRIVAL
    KLNAG_EV_INV_APP_INSTALLED
    KLNAG_EV_INV_APP_UNINSTALLED
    KLSRV_EV_SLAVE_SRV_CONNECTED
    KLAUD_EV_OBJECTMODIFY
    KLAUD_EV_SERVERCONNECT
    KLSRV_LICENSE_BLACKLISTED
    KLSRV_EV_SLAVE_SRV_DISCONNECTED
    KLPRCI_TaskState
    KLSRV_RUNTIME_ERROR
    KLNAG_EV_DEVICE_REMOVE
    KLNAG_EV_INV_CMPTR_APP_UNINSTALLED
    KLSRV_EV_LICENSE_CHECK_100_110
    KLNAG_EV_INV_CMPTR_APP_INSTALLED
    KLSRV_UPD_BASES_UPDATED
    KLAUD_EV_ADMGROUP_CHANGED

    3) GNRL_EV_SUSPICIOUS_OBJECT_FOUND
    GNRL_EV_WEB_URL_BLOCKED
    GNRL_EV_VIRUS_FOUND
    GNRL_EV_FULLSCAN_STATUS_NOTIFICATION
    GNRL_EV_OBJECT_DELETED
    GNRL_EV_PASSWD_ARCHIVE_FOUND
Sign In or Register to comment.