Anthony Reinke Just getting a few things out of my head

31Aug/090

Monitoring the Filesystem with Splunk

I have used OSSEC in the past to watch the file system for changes.  When I found that I can have the Splunk agent handle the monitoring itself, I was pretty excited.  Since I would send my OSSEC data to Splunk anyways, it just seemed logical to have Splunk do everything.

In Windows, you need to edit the "c:\program files\Splunk\etc\system\local\inputs.conf" file.  Of course your path could be different if you installed it in a different place.  There are a lot of options and switches you can use.  I went for the simplest set.

[fschange:d:\temp\]
recurse=true
pollPeriod=3600

This will monitor the d:\temp\ folder and all files and folders under it.  It will check the system every 3600 seconds (1 hour).

This has helped me keep track of the changes in my servers.  I can see when a file was add/deleted/changed (due to the hash) and then look at who was logged in during the period that the file was changed.

Splunk File Delete

Splunk article on the switches and FSCHANGE.
http://www.splunk.com/base/Documentation/4.0.3/Admin/Monitorchangestoyourfilesystem

[fschange:d:\temp\]
recurse=true
followLinks=false
pollPeriod=60
Tagged as: , , , , , , , No Comments
27Jul/091

OSSEC and Splunk

I have been playing with OSSEC and Splunk.  OSSEC is a Host based Intrusion Detection System (HIDS).  Splunk is a log archiving and searching system.  OSSEC is open source and is multiple platform.  You can run it on Linux/Unix and Windows.  I am using OSSEC to forward Windows Event Logs to Splunk.  Splunk makes the searching and correlation.  Splunk can do WMI.  This would be great since no agent would need to be installed.  The problems is that if you have more than 30-50 systems, the amount time and traffic would cause issues.  Using the OSSEC agent, I am able to push the event logs to the OSSEC server.  From there the OSSEC server will upload to the Splunk server via Syslog.

Right now I have the servers all talking but I do need to adjust a few things.  Right now Splunk sees all the hosts as the OSSEC server.  I believe I just need to tweak the fields.  The question is how.

Splunk
http://www.splunk.com

OSSEC
http://www.ossec.net

Tagged as: , , , , , , , , 1 Comment
   

Archives

Tags

administrator blog chat clever cmd coach command prompt computer create daily delete desktop drink energy energy drink esxi event firefox first page hack hello help id idea ids linux new ossec practice report security server splunk start system ted user vent video website windows witulski wordpress work wrestling

Begging for money

Search & Win