Anthony Reinke » ossec http://www.anthonyreinke.com Rambling Thoughts of a Random Mind Wed, 01 Feb 2012 22:03:42 +0000 en hourly 1 http://wordpress.org/?v=3.3.1 RegEx with Splunk for OSSEC http://www.anthonyreinke.com/2009/07/30/regex-with-splunk-for-ossec/ http://www.anthonyreinke.com/2009/07/30/regex-with-splunk-for-ossec/#comments Fri, 31 Jul 2009 04:12:46 +0000 Anthony Reinke http://www.anthonyreinke.com/?p=75 Thanks to Michael Wilde for the information on RegEx in Splunk.  For those like me who aren’t the best at RegEx, I will show some of the regular expressions I am using for OSSEC.

Server Name
(?i) Location:s((?P<FIELDNAME>.*?))s

Windows Event User
(?i) USER: (?P<FIELDNAME>[^:]*);

Server IP
(?i)^[^)]*)s+(?P<FIELDNAME>[^-]*)-

Windows Events
(?i)^[^-]*-s+(?P<FIELDNAME>[^.]*).

LogInUser
(?i) Name: (?P<FIELDNAME>w+)

LogInDomain
(?i) Domain: (?P<FIELDNAME>[^ ]*)[ ]

******************************************************

Now, to add them…

Open your browser and login in to your Splunk server.  In the Search application, type sourcetype=”ossec”
Type Search ossec

or click on “ossec” in the Sourcetypes

Click Search ossec

You should see a bunch of data from the OSSEC server.  On the left of the main frame of the webpage, there should be a grey down arrow.  Clicking on this I get two options.  You want to select  Extract Fields.
Click Extract Fields

Here is where it gets fun.  Splunk included a graphical RegEx builder based on examples.  I ended up playing with this for a while.  Once you have found the expression you like, click on the Save button.
Click Save RegEx

Name your RegEx and click Save.
Save Field

Restart your Splunk server.
Once restarted, on the main search page, on the left sidebar click on Pick fields.
AddField

Here you can select the fields that will be displayed on the search page.
SelectFields

When you get back to the search page, you will notice the new fields.
Showing

]]> http://www.anthonyreinke.com/2009/07/30/regex-with-splunk-for-ossec/feed/ 0 OSSEC and Splunk http://www.anthonyreinke.com/2009/07/27/ossec-and-splunk/ http://www.anthonyreinke.com/2009/07/27/ossec-and-splunk/#comments Tue, 28 Jul 2009 01:55:54 +0000 Anthony Reinke http://www.anthonyreinke.com/?p=66 I have been playing with OSSEC and Splunk.  OSSEC is a Host based Intrusion Detection System (HIDS).  Splunk is a log archiving and searching system.  OSSEC is open source and is multiple platform.  You can run it on Linux/Unix and Windows.  I am using OSSEC to forward Windows Event Logs to Splunk.  Splunk makes the searching and correlation.  Splunk can do WMI.  This would be great since no agent would need to be installed.  The problems is that if you have more than 30-50 systems, the amount time and traffic would cause issues.  Using the OSSEC agent, I am able to push the event logs to the OSSEC server.  From there the OSSEC server will upload to the Splunk server via Syslog.

Right now I have the servers all talking but I do need to adjust a few things.  Right now Splunk sees all the hosts as the OSSEC server.  I believe I just need to tweak the fields.  The question is how.

Splunk
http://www.splunk.com

OSSEC
http://www.ossec.net

]]> http://www.anthonyreinke.com/2009/07/27/ossec-and-splunk/feed/ 1