Ossec for IPFire

Help on building IPFire & Feature Requests
User avatar
Roberto Peña
Posts: 567
Joined: July 16th, 2014, 3:56 pm
Location: Bilbao (España)
Contact:

Re: Ossec for IPFire

Post by Roberto Peña » May 13th, 2017, 7:50 am

Good morning ummeegge.

You say there is a console to see the logs?. I would like to try it. It would be great.

How is it installed ?. Have you developed any installation packages?

It would also be great that from the IPFire GUI itself there would be a call to open that console. For example, in "LOGs -> OSSec Logs". That is, a small integration.

One think. For Agent installations on a non-English Windows computer, a user group called "Administrators" must be created and the Administrator User and Team User must be added in this group. In this way, it will install without problems.

Thanks.
Image
Image

ummeegge
Community Developer
Community Developer
Posts: 4539
Joined: October 9th, 2010, 10:00 am

Re: Ossec for IPFire

Post by ummeegge » May 13th, 2017, 6:52 pm

Hi Roberto,
Roberto Peña wrote:You say there is a console to see the logs?. I would like to try it. It would be great.
there are different logs available in my case

Code: Select all

-> ls -la /var/ossec/logs/
total 84
drwxr-x---  5 ossec ossec  4096 May  5 17:58 .
dr-xr-x--- 13 root  ossec  4096 May  5 17:58 ..
-rw-rw----  1 ossec ossec     0 May  5 17:58 active-responses.log
drwxr-x---  3 ossec ossec  4096 May 13 00:00 alerts
drwxr-x---  3 ossec ossec  4096 May 13 00:00 archives
drwxr-x---  3 ossec ossec  4096 May 13 00:00 firewall
-rw-rw----  1 ossec ossec 57684 May 13 13:59 ossec.log
whereby the interesting one might be for the first the alert log. Over console/ssh you can use a simple

Code: Select all

cat /var/ossec/logs/alerts/alerts.log
. Since OSSEC uses alert levels (0-16 --> you can find a level description in here --> http://ossec-docs.readthedocs.io/en/lat ... evels.html ) you can surely grep for specific levels e.g. from 5-16

Code: Select all

grep -E -B2 -A3 '\(level [5-9]|1[0-6]\)' /var/ossec/logs/alerts/alerts.log
but this can also be done over the WI by clicking it to what you want to see.
Roberto Peña wrote: One think. For Agent installations on a non-English Windows computer, a user group called "Administrators" must be created and the Administrator User and Team User must be added in this group. In this way, it will install without problems.
OSSEC is capable in a server/agent structure to collect all LAN logs (external one over OpenVPN e.g. for sure too) from different OSes (Linux, Mac, Windows, ...) and makes them manageable on a central point with an integrated, easy to extend, alert logic which is nice to get not only for a bigger/better overview of what is happening to your machines but also to have an automatic intrusion prevention to defend in worst cases. The defaults are effectiv for what i have experienced until now but modification to own specific needs is fairly easy.

Have a nice weekend (will work on the weekend may a little on a installation helper for the email notification ;-).

Greetings,

UE
Image
Image
Image

ummeegge
Community Developer
Community Developer
Posts: 4539
Joined: October 9th, 2010, 10:00 am

Re: Ossec for IPFire

Post by ummeegge » May 17th, 2017, 2:45 pm

Needed a little longer but you can find in here --> https://github.com/ummeegge/ossec-ipfir ... l_setup.sh an email setup assistent.
Have tested it a little and as far as i can see it works. Instructions howto use it are included.
As mentioned before TESTING SYSTEMS SHOULD BE USED for this.
To start it

Code: Select all

cd /tmp &&
curl -O https://raw.githubusercontent.com/ummeegge/ossec-ipfire/master/ossec_email_setup.sh && 
chmod +x ossec_email_setup.sh && 
./ossec_email_setup.sh
should open the dialog.

Greetings,

UE
Image
Image
Image

5p9
Mentor
Mentor
Posts: 1775
Joined: May 1st, 2011, 3:27 pm

Re: Ossec for IPFire

Post by 5p9 » August 31st, 2017, 5:07 pm

Hi UE,

i run your ossec...realy nice. see in german https://forum.ipfire.org/viewtopic.php? ... 47#p110447

ummeegge
Community Developer
Community Developer
Posts: 4539
Joined: October 9th, 2010, 10:00 am

Re: Ossec for IPFire

Post by ummeegge » February 8th, 2018, 6:20 pm

Hi all,
PHP will be dropped with Core 118 --> https://planet.ipfire.org/post/ipfire-2 ... or-testing so OSSECs WI will be useless if no additional PHP package is available (surely findable somewhere in the shoals of the forum).

For a manual cleanup you can execute the following commands:

Code: Select all

rm -rvf \
/srv/web/ossec \
/etc/httpd/conf/vhosts.d/ossec.conf \
/etc/logrotate.d/ossec \
/var/log/httpd/ossec-*.log &&
/etc/init.d/apache restart
OSSEC will nevertheless works then before...
Not sure if anyone needs this info, but i wanted to announce it. Will adjust the scripts if no other ideas are arround...

Greetings,

UE
Image
Image
Image

Drexbengel48
Posts: 4
Joined: June 12th, 2017, 4:50 am
Location: Berlin

Re: Ossec for IPFire

Post by Drexbengel48 » February 9th, 2018, 4:01 am

Hi ummegge,

THX4Info!

Greetings
Drexbengel48
Image

ummeegge
Community Developer
Community Developer
Posts: 4539
Joined: October 9th, 2010, 10:00 am

Re: Ossec for IPFire

Post by ummeegge » February 11th, 2018, 6:22 pm

Hi all,
have added Wazuh --> https://wazuh.com/ (also available for 32 and 64 bit machines) as another possibility instead of OSSEC to the admin.sh since it is a fork of OSSEC but delivers also a nice implementation possibility for another visualization via the ELK-Stack i thought it might be a nice substitute for the lost OSSEC WI ?
e.g.:
Image

which needs surely more work/resources under the hood as the OSSEC WI did. In here --> https://documentation.wazuh.com/current ... index.html more information can be found.

Wazuh do provides also a lot other stuff but is also not that far away from the may already known OSSEC. <-- A look over (better a deep dive) into this topic might be nice.

Have also deleted the OSSEC WI in(un)staller option in admin.sh cause Core 118 do not supports PHP anymore. Should it be nevertheless of interest, old un- installer can be found in here --> https://github.com/ummeegge/ossec-wazuh ... staller.sh .

Start topic has been updated --> viewtopic.php?f=50&t=15597#p93670 incl. install howto .

Greetings,

UE
Image
Image
Image

mike15
Posts: 15
Joined: April 4th, 2018, 1:21 pm

Re: Ossec for IPFire

Post by mike15 » April 9th, 2018, 5:49 pm

Hi i could ask you for help with the installation of OSSEC or Wazuh, I tried to read the other pages but I did not understand if you can still have one of them.

ummeegge
Community Developer
Community Developer
Posts: 4539
Joined: October 9th, 2010, 10:00 am

Re: Ossec for IPFire

Post by ummeegge » April 10th, 2018, 9:04 am

Hi,
you can copy/paste/execute the following commands:

Code: Select all

cd /tmp &&
curl -O https://raw.githubusercontent.com/ummeegge/ossec-wazuh/master/ossec-wazuh-admin.sh &&
chmod +x ossec-wazuh-admin.sh &&
./ossec-wazuh-admin.sh
this should start the installation process for Wazuh and OSSEC, the script should do the rest in user interaction. By the release of Core120 i will provide a new version.

UE
Image
Image
Image

mike15
Posts: 15
Joined: April 4th, 2018, 1:21 pm

Re: Ossec for IPFire

Post by mike15 » April 10th, 2018, 8:32 pm

The ipfire response to the commands was: no URL specified

ummeegge
Community Developer
Community Developer
Posts: 4539
Joined: October 9th, 2010, 10:00 am

Re: Ossec for IPFire

Post by ummeegge » April 11th, 2018, 3:38 am

Hi,
every line is an own command a 'curl -O' only do not work ! If you execute every line on it´s own you won´t need the '&&' at the end.
As a side note, if you are not that familiar with the command line you should think about to use OSSEC then since you will need it further on.

UE
Image
Image
Image

ummeegge
Community Developer
Community Developer
Posts: 4539
Joined: October 9th, 2010, 10:00 am

Re: Ossec for IPFire

Post by ummeegge » April 13th, 2018, 3:27 pm

Hi all,
update to Ossec-2.9.3 and Wazuh-3.2.1 is already available (checkout starting post) but only for >= Core 120 which is currently only in testing tree available --> https://planet.ipfire.org/post/ipfire-2 ... or-testing but should be soon regular released. If someone wants to stay in stable tree you should wait until then, have had even some time so i did this work a little before .-)

Peace and all the best to all,

UE
Image
Image
Image

Post Reply

Who is online

Users browsing this forum: No registered users and 2 guests