OSSIM - Snort/OSSEC/Nagios Logging Config Question

Question

Quick n00b OSSIM question. I've looked around but haven't found exactly what I'm looking for. I currently have a Nagios, OSSEC, Nessus, and Snort server and I want to keep those servers active but just ship the logs to the OSSIM server and have it do the correlating and graphing. Can that be done? Everything I've seen is putting the various software functions actually on the OSSIM box but I don't want to do that. I'm running CentOS on all of the systems. Thanks.

Cian · Answer 1 · 2009-08-26T22:47:09.553

3

Nagios, OSSEC, Snort, and Nessus can all log to syslog. Which you could then use to forward the logs to the OSSIM server. Should work fine once all the logs are arriving there.

edited Aug 26 '09 at 22:47

answered Aug 26 '09 at 22:14

Cian

5,878

score 2 · Answer 2 · edited Jul 08 '12 at 13:34

Log Server

vi /etc/sysconfig/syslog
(enable remote connections by adding -r -x to the line SYSLOGD\_OPTIONS="-m 0" result after edits SYSLOGD_OPTIONS="-m 0 -r -x")
Have port 514 UDP open on the logging server's firewall to the IP of the source with a vi /etc/sysconfig/iptables and add the line: -A INPUT -p udp -m udp --dport 514 -j ACCEPT

On the Client (ships the logs to the log server)

vi /etc/syslog.conf
add a line to the end of the file \*.* @IP\_OF\_LOG_SERVER

Verify with a tail -f /var/log/messages on the logging server during a boot or reboot of the client.

OSSIM - Snort/OSSEC/Nagios Logging Config Question

2 Answers2