OSSEC is the leading open-source host-based intrusion detection system (HIDS) software on the market today. OSSEC performs log analysis, integrity checking, Windows registry monitoring, and much more. It is setup in a server client configuration that can be installed and setup from simple scripts within minutes.

OSSEC offers an open-source web user interface (Web UI) that is very basic and not very customizable. To change this, companies started to integrate with Elasticsearch, Logstash, and Kibana (ELK Stack) giving users more freedom to customize dashboards and find the data they needed faster. This integration has been lead by the open-source project from the team over at Wazuh. They have made a customized version of OSSEC that is configured to automatically integrate with the ELK Stack which also includes some custom OSSEC rules that helps you monitor your systems in regards to PCI and CIS compliance.

This post will guide you through the process of installing OSSEC Server and guide you how to integrate OSSEC with with the ELK Stack on Ubuntu 14.04 Server. We will also describe how to import the custom PCI and CIS Wazuh dashboards and custom rules.

OSSEC Server Installation

Copy scripts folder to server using a secure copy command

scp -r {{PATH_TO_TEMP_FOLDER}} {{ubuntu_user}}@{{Server_IP}}:/home/{{ubuntu_user}}/

SSH into your Ubuntu 14.04 Server and go to the OSSEC_ELK_Temp directory in your home directory. Run the OSSEC_Server_Install_Step1.sh bash script.

sudo bash OSSEC_Server_Install_Step1.sh

Answer Y to confirm the installation from apt-get and then enter your preferred language.

On the next screen, press ENTER to continue and then type “server” when the installation asks what kind of installation do you want.

For the proceeding questions, use the following answers:

Question 2 choose the default option [var/ossec]

Question 3.1, enter your email address and confirm the SMTP server.

Question 3.2 choose the default option [y]

Question 3.3 choose the default option [y]

Question 3.4 choose the default option [y] for both questions

Question 3.4 Part 3 choose the default option [n]

Question 3.5 choose the default option [y]

After answering all the questions, press ENTER to run the installation and your final result should state “Configuration finished properly.”

Press ENTER and the bash script will start OSSEC. A result of “Completed.” should be shown

Next you will want to add an agent to get some logs flowing into OSSEC. Press A to add an agent and then fill out the Name of the new agent, the IP, and the agent id. Confirm adding the new agent by entering Y.

NOTE: The bash script automatically opens the agent manager but to add more agents in the future run /var/ossec/bin/manage_agents

OSSEC Agent Installation

Open the OSSEC Agent Manager console if it is not open already

sudo /var/ossec/bin/manage_agents

Enter “E” stating you want to extract an agent key and then enter the agent ID that you want to extract. Highlight and copy the key to be used after the agent has been installed.

Copy Scripts folder to the agent server using a secure copy command

scp -r {{PATH_TO_TEMP_FOLDER}} {{ubuntu_user}}@{{Server_IP}}:/home/{{ubuntu_user}}/

On the Agent Server, change into the OSSEC_ELK_TEMP folder and then run the OSSEC_Agent_Install_Step2.sh bash script to install the OSSEC Agent

sudo bash OSSEC_Agent_Install_Step2.sh

A configuration window will appear and enter the IP Address of your OSSEC Server

In the Agent Manager, enter “I” stating you want to add an agent key, and then paste the key into the agent manager. Press enter, and confirm the entry by entering “y”.

ELK Stack Architecture

Elasticsearch, Logstash, and Kibana can be configured in a multitude of ways. This guide will be using the single host configuration where all components of the ELK Stack including OSSEC is installed on the same virtual machine. The ELK Stack can be distributed across multiple hosts and this configuration can be explained more in detail here in the Wazuh project documentation.

ELK Stack Prerequisites

Elasticsearch, Logstash, and Kibana require the Java 8 JRE to be installed. To install this, on the OSSEC Server machine go to the scripts folder that you copied over earlier and run the ELK_Stack_Prereqs_step3.sh bash script to install Java 8 JRE.

sudo bash ELK_Stack_Prerecs_step3.sh

Logstash Installation

To install Logstash, on the OSSEC Server machine go to the scripts folder that you copied earlier and run the ELK_Stack_Logstash_Install_step4.sh bash script.

sudo bash ELK_Stack_Logstash_Install_step4.sh

Install Elasticsearch

To install Elasticsearch, on the OSSEC Server machine go to the scripts folder that you copied earlier and run the ELK_Stack_Elasticsearch_Install_step5.sh bash script.

sudo bash ELK_Stack_Elasticsearch_Install_step5.sh

The script will automatically open up the elasticsearch.yml file, in the file set the cluster.name equal to “ossec”, and the node.name equal to “ossec_node1”

At the end of the elasticsearch.yml file, add the following lines shown in the image below to the end of the file. Then save the file and exit out of it.

Next, the script will open the limits.conf file. Add the following lines shown in the image below to the end of the file. Then save the file and exit out of it.

Next, the script will open the default/elasticsearch file. In this file set the ES_HEAP_SIZE equal to half the amount of RAM on the system.

In the same file, uncomment the following lines shown in the image below. Then save the file and exit out of it.

Kibana Installation

To install Kibana, on the OSSEC Server machine go to the scripts folder that you copied earlier and run the ELK_Stack_Kibana_Install_step6.sh bash script.

sudo bash ELK_Stack_Kibana_Install_step6.sh

Once the script has completed, in your web browser on your local machine navigate to http://{{OSSEC/ELK Host IP}}:5601. This should open up the Kibana web interface.

Next you will need to import the OSSEC index pattern by typing “ossec-*” into the textbox and then click create.

In the navigation select “Discover”. This shows all of the recent OSSEC alerts.

Wazuh Custom Dashboards

By default, the custom Wazuh dashboards are not imported into Kibana. To import them, navigate to this link and download the JSON file to your local machine.

In Kibana, go to settings, objects, and then click on import and select the JSON file you just downloaded.

3 dashboard should appear in the list. Click on the eye icon next to the OSSEC Alerts Dashboard to open the OSSEC Alerts Dashboard.

Wazuh Custom Rules

To import Wazuh’s custom OSSEC rules, on the OSSEC/ELK server, navigate to the scripts folder that you copied earlier and run the Wazuh_Rulesets.sh bash script.

sudo bash Wazuh_Rulesets.sh

When crontab opens, add this line to the bottom of your crontab file to update the Wazuh rules on a weekly basis, then save and exit the crontab file.

@weekly root cd /var/ossec/update/ruleset && ./ossec_ruleset.py -s

Cleanup

In the root directory of your user’s home folder on the OSSEC/ELK server, run the following commands to remove the temporary files.

sudo rm -rf ossec_tmp/ sudo rm -rf OSSEC_ELK_TEMP/

Conclusion

Completing this guide and getting OSSEC and the ELK Stack running is just the start of what can be accomplished. Custom Kibana dashboards can be created that allows you to monitor the alerts that are most important to your company. OSSEC can also be customized allowing you to create custom rules and rulesets that could be integrated into your custom dashboards. As more agents are added to the OSSEC server and more user start accessing Kibana, using the distributed architecture would become more important allowing the system to grow and expand.

We would like to thank the Wazuh project for all the hard work and dedication they have put in making the integration of OSSEC and the ELK Stack quick and simple. If you would like more information about the Wazuh Project, the ELK Stack, or OSSEC, view the links below.

Wazuh Project

ELK Stack

OSSEC