OSSEC (Wazuh) and ELK as a unified security information and event management system (SIEM).

https://medium.com/devoops-and-universe/ossec-and-elk-as-an-unified-security-information-and-event-management-system-siem-bcc5f310a733

Prehistory: One of our customers was significantly impressed when he discovered AlienVault and calmed down just a little bit later after he came across their pricing. So the question “Can you, guys, find something out, so I will have more-or-less the same system but a bit lower price” was raised.

Is there anything impossible for universal soldiers? Not at all! OSSEC has been chosen as a Host-based Intrusion Detection System, so as the client wanted to save some money, open-source free tools are perfectly fit. When it came to storing data and generating visualization the first idea was to use ELK stack, just because I had an idea how it works and how to set it up (see my previous article).

OSSEC is a free, open-source host-based intrusion detection system (HIDS). It performs log analysis, integrity checking, Windows registry monitoring, rootkitdetection, time-based alerting, and active response. It provides intrusion detection for most operating systems, including Linux, OpenBSD, FreeBSD, OS X, Solaris and Windows. OSSEC has a centralized, cross-platform architecture allowing multiple systems to be easily monitored and managed.

After a little research I came across Wazuh, that is OSSEC fork, with an extended functionality, including integration with ELK stack.

The mentioned scheme can be implemented on a single host, but I wanted to somehow secure myself and break a single host limit. So in a matter of high availability and data replication I decided to use Wazuh recommended deployment when using four different hosts (which includes a 3 nodes Elasticsearch cluster):

As every other installation (deployment) this time was not an exception and my way was a way of ups and downs.

Downs

Even though in Wazuh documentation they use previous versions of ELK components for integration with OSSEC I decided to use newest ones. And guess what? Right, I kinda failed. Wazuh didn’t work with ELK 5.1.1, and therefore, after I found last comment in this GitHub issue I gave up, rolled back changes and installed an older version.

Wazuh has a pretty good documentation and I definitely appreciate their work. But, be careful here. They use “master” branch on GitHub to store non-production versions. And to be honest I don’t really like that, I was a bit confused when cloned their repository and could not find files mentioned in the installation guides. You have to switch to branch “stable” and use content of that branch instead, Wazuh team mentioned this, but it’s something that you can easily miss, so just keep in mind.

Installation

System is built on 4 host machines running Ubuntu 16.04 in AWS

  • Host 1: OSSEC Manager + Logstash Forwarder
  • Host 2: Logstash Server + Elasticsearch Node 1 + Kibana
  • Host 3: Elasticsearch Node 2
  • Host 4: Elasticsearch Node 3

Java 8 JRE

Is required by Logstash and Elasticsearch, so first step is to install Java on Host 2, Host 3, Host 4.

$ sudo add-apt-repository ppa:webupd8team/java
$ sudo apt-get update
$ sudo apt-get install oracle-java8-installer

Logstash

To be installed on Host 2, carefully follow this installation manual and try not to miss anything. In this step you should have copy of Wazuh repo in ~/ossec_tmp/ on Host 2.

  • Install Logstash
  • Install Logstash Forwarder on Host 1 (nowdays replaces with Filebeat)
  • Configure Logstash to read the incoming data (sent by Logstash forwarder) from port 5000/udp (remember to open your firewall to accept this traffic). Primary logstash config is “01-ossec.conf” must be copied from ~/ossec_tmp/wazuh/extensions/logstash/ to /etc/logstash/conf.d/.
  • OPTIONALLY: In my setup the customer wanted to have CloudTrail logs in ELK as well. And we already know how to do that, (see my previous article). So second config file should also be created in /etc/logstash/conf.d/, you can use this example. Also, install CloudTrail codec plugin on Logstash Server.
  • Generate SSL certificate and make required configuration on Logstash server and Logstash forwarder
  • Copy the Elasticsearch custom mapping from the extensions folder to the Logstash folder
  • Download and install GeoLiteCity from the Maxmind website. It looks awesome in Kibana vizualizations 🙂

Elasticsearch

Install this component on Host 2, 3, 4. I’m not going to deep in details here, just follow documentation of Wazuh website. At the end we will have an Elasticsearch cluster with 3 nodes. Final step will be to import OSSEC alerts template into Elasticsearch cluster.

Kibana

Kibana Installation and configuration is described here. You will have to:

  • Install Kibana
  • Configure Kibana
  • Create OSSEC index
  • Import OSSEC dashboards and visualizations.
  • Configure secure connection to Kibana interface with SSL Certificate and HTTP Authentication.

Wazuh HIDS

Install OSSEC manager according to this installation manual. It’s time to add your first OSSEC agent, well, not really, first agent is an OSSEC manager itself, but the second will be our Windows agent. And I will describe the agent adding process in details:

Adding OSSEC agents

First make sure UDP port 1514 is open between node, on which you are going to install the agent and your OSSEC manager.

  • Install the agent using all recommended settings
  • Once installed, OSSEC Agent Manager window will show up.
  • Enter IP address of OSSEC manager and save changes
  • Now you need to import Auth key, that needs to be generated on your OSSEC manager (Host 1). And first you have to add the agent on server.
# cd /var/ossec/bin
# ./manage_agents
****************************************
* OSSEC HIDS v2.8 Agent manager.     *
* The following options are available: *
****************************************
   (A)dd an agent (A).
   (E)xtract key for an agent (E).
   (L)ist already added agents (L).
   (R)emove an agent (R).
   (Q)uit.
Choose your action: A,E,L,R or Q: A
- Adding a new agent (use '\q' to return to the main menu).
  Please provide the following:
   * A name for the new agent:WIN01
   * The IP Address of the new agent: 10.0.0.100
   * An ID for the new agent[003]:
Agent information:
   ID:003
   Name:WIN01
   IP Address:10.0.0.100
Confirm adding it?(y/n): y
Agent added with ID 003.
  • Extract auth key for your agent on server:
****************************************
* OSSEC HIDS v2.8 Agent manager.     *
* The following options are available: *
****************************************
   (A)dd an agent (A).
   (E)xtract key for an agent (E).
   (L)ist already added agents (L).
   (R)emove an agent (R).
   (Q)uit.
Choose your action: A,E,L,R or Q: E
Available agents:
   ID: 003, Name: WIN01, IP: 10.0.0.100
Provide the ID of the agent to extract the key (or '\q' to quit): 003
Agent key information for '003' is:
MDAzIFdJTjAxIDEwLjAuMC4xMDAgYjU1ZDBhasWDdaaWdQxMTFhYTg2NGJiYzFhNGFlNWE1YzNhOTdkNzEahwdilahwWIDHAWDlZQ==
** Press ENTER to return to the main menu.
  • Now we have a key, we were looking for, copy this key and paste it to OSSEC Agent Manager dialog box on your Windows machine, confirm agent adding:
  • The agent won’t start automatically, so you will have to open system services and start OSSEC HIDS service:

All done, you just added your first agent. If you go to management server and check status, the newly added agent should be available. Running command list_agents with parameter “-c” will only list connected agents.

# ./list_agents -c
win1-10.0.0.100 is active.

And now my favorite part, remember we’ve imported visualizations to Kibana? It’s time to sneak a peek!

Let’s browse our visualizations, some examples:

PCI Compliance
OSSEC Alerts
OSSEC Alerts
CIS Compliance
CIS Compliance

And a little bit of off-topic: simple CloudTrail data visualization:

CloudTrail

Btw, you can integrate OCCES with AWS CloudTrail, by turning CloudTrail data into an OSSEC alerts. Here is an example of what you should do and what result to expect.

Looks like now we have, what we were trying to accomplish. And it’s a working SIEM system that provides file integrity monitoring, log monitoring, rootcheck, process monitoring, gathering of compliance data, take event data and turn it into informational charts to assist in seeing patterns.

I would like to thank Wazuh team for making such solution possible and looking forward for a release, with support of integration with ELK 5.1.1 to give it a try and continue series of my articles.