OSSEC is a multiplatform, open source and free Host Intrusion Detection System (HIDS). This integration allows you to send OSSEC logs to your Layerlog SIEM account.
Filebeat configuration
Before you begin, you’ll need:
- Filebeat 7 or Filebeat 6
- Root access
- Port 5015 open
Configure OSSEC to output JSON alerts
In the OSSEC configuration file (/var/ossec/etc/ossec.conf), find the <global> tag.
Add the <jsonout_output> property and set to yes.
<global>
<jsonout_output>yes</jsonout_output>
</global>
Restart OSSEC.
sudo /var/ossec/bin/ossec-control restart
Download the Layerlog public certificate to your credentials server
For HTTPS shipping, download the Layerlog public certificate to your certificate authority folder.
sudo curl https://raw.githubusercontent.com/logzio/public-certificates/master/AAACertificateServices.crt --create-dirs -o /etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt
Add OSSEC as an input
In the Filebeat configuration file (/etc/filebeat/filebeat.yml), add OSSEC to the filebeat.inputs section.
Replace <<LOG-SHIPPING-TOKEN>> with the token of the account you want to ship to.
# ...
filebeat.inputs:
- type: log
paths:
- /var/ossec/logs/alerts/alerts.json
fields:
logzio_codec: json
# Your Layerlog account token. You can find your token at
# http://panel.layerlog.com/#/dashboard/settings/manage-accounts
token: <<LOG-SHIPPING-TOKEN>>
type: ossec
fields_under_root: true
encoding: utf-8
ignore_older: 3h
If you’re running Filebeat 7, paste this code block. Otherwise, you can leave it out.
# ... For Filebeat 7 only ...
filebeat.registry.path: /var/lib/filebeat
processors:
- rename:
fields:
- from: "agent"
to: "filebeat_agent"
ignore_missing: true
- rename:
fields:
- from: "log.file.path"
to: "source"
ignore_missing: true
If you’re running Filebeat 6, paste this code block.
# ... For Filebeat 6 only ...
registry_file: /var/lib/filebeat/registry
The above assumes the following defaults:
- Log locations (JSON format) -
/var/ossec/logs/alerts/alerts.json - Log locations (plain text format) -
/var/ossec/logs/alerts/alerts.log
Set Layerlog as the output
If Layerlog is not an output, add it now. Remove all other outputs.
Replace <<LISTENER-HOST>> with the host for your region. For example, listener.layerlog.com if your account is hosted on AWS US East, or listener-nl.layerlog.com if hosted on Azure West Europe.
# ...
output.logstash:
hosts: ["<<LISTENER-HOST>>:5015"]
ssl:
certificate_authorities: ['/etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt']
Start Filebeat
Start or restart Filebeat for the changes to take effect.
Check Layerlog for your logs
Give your logs some time to get from your system to ours, and then open Kibana.
You can search for type:ossec to filter for your logs. Your logs should be already parsed thanks to the Layerlog preconfigured parsing pipeline.
If you still don’t see your logs, see log shipping troubleshooting.