Using OSSEC for Encrypted Log Transport
Here’s a little secret that the sales guys of the million-dollar SIEMs are probably going to gloss over. Most of them do not offer a way to encrypt logs in transit end-to-end. Worse, many of them use downright silly methods to collect logs on common operating systems, such as installing an FTP client on every host and sending them along as a big batch every so often.
For some reason, this is seen as acceptable since it’s usually on the internal network. At the same time, we give mean looks to anyone who even mentions the use of a clear-text protocol like telnet.
Here’s another little secret: many of the big SIEM vendors use syslog-ng as the log daemon on their appliances. It’s reliable and secure and generally works very well.
What if there was a way to add encrypted log transit to the expensive SIEM, or to the other log management solution you already have in place? What if you can’t use or don’t need the full functionality of a log analysis solution like OSSEC, but would like the ability to use encrypted log transport? Read on, my friend, because I’m going to show you exactly how to do that, and it can be done in just a few minutes.
- Install OSSEC in server mode on the existing syslog server from the vendor. I won’t go into detail here on how to install OSSEC, as it’s well documented elsewhere. These systems are generally just minimal Linux installations, so if you are lacking a compiler then you may need to install it on a like system and move OSSEC over. If your vendor won’t let you do this, ask them why you are paying them gobs of money without even the basic functionality of encrypted log transit!
- Install OSSEC agents on the hosts you want to collect logs from. Configure the agents to collect the logs you are interested in and add them to the manager. Don’t forget to restart the OSSEC manager after adding the agents.
- Add the following lines to /opt/syslog-ng/etc/syslog-ng.conf under the “source s_local” section:
# Read OSSEC queue
unix-dgram(“/var/ossec/queue/ossec/queue”); - Edit /var/ossec/etc/ossec-control and modify the two variables which are responsible for starting the OSSEC daemons. After modification, they should look like this:
DAEMONS=”ossec-remoted”
SDAEMONS=”ossec-remoted” - Finally, stop both syslog-ng and OSSEC. Start syslog-ng first, then start OSSEC.
The reason this works is due to the way OSSEC is designed. In fine Unix tradition, OSSEC separates the tasks into individual daemons that do only one job and do it well. In this case, ossec-remoted is writing to a Unix socket that syslog-ng is reading from in real-time. OSSEC is simply handing off the message to the local syslog daemon, at which point the message continues on its way as it normally would.
I used to use Snare, Zebedee and OSSEC for secure log delivery and file integrity. Now, it can all be handled with one open-source agent, already designed for secure and reliable log delivery.
There is a downside, which is primarily due to me not taking this to the next level and looking into the issue. In this configuration, you will not receive a notification if the OSSEC agent disconnects, since there is nothing to act on the absence of the heartbeat OSSEC sends. I’m pretty sure that can be solved by taking it up a notch and including one or two more daemons, combined with a stripped down decoder and rules file.
So the next time your expensive SIEM vendor tells you there’s no way to encrypt the logs in transit, tell them you can set it up in under an hour. Then send them a bill for your time.
Excellent idea!
Can rsyslog be configured to achieve the same result?
Frank
Hello Frank,
I am not that familiar with rsyslog, but I can’t imagine it wouldn’t be able to. As long as it can read a Unix socket it should be fine.
-Mike
First, great post! Second, after I set this up, syslog-ng stopped separating the logs base on the server IP (“/var/log/syslog/servers/$HOST/$YEAR.$MONTH.$DAY.$FACILITY.log”). Everything is going to one log via OSSEC. Are you experiencing the same thing?
Forget my post, I found my answer. Had a misconfiguration.
Hello tschack,
I’m glad you found the problem, but I wanted to comment in case anyone else runs into this. This can happen if you don’t edit ossec-control, and OSSEC and syslog-ng are both in contention for the queue. Whichever one is started last will win out.
Thanks,
Mike
Hi, I’m trying to set this up as well (while keeping ossec analyzing logs). I’m trying to get the logs seperated by host, but all I get is one file with all logs. The syslog-ng logs seem to be following this format:
Mar 22 11:53:30 ossec-server 1:(remotehost) 1.2.3.4->/var/log/syslog:Mar 22 11:53:29 remotehost snmpd[1965]: Connection from UDP: [4.5.6.7]:55066
I suspect, the problem is caused by the first part and syslog can’t parse the full logline correctly, but maybe I’m doing something wrong here.
Do you have any clues?
Thanks in advance.
What if you have, say 10 logs – 9 of which you want to actually “analyze” and the other one you simply want to send to the server to go stored in the DB for logging, as in syslog. So I still want to keep much of OSSEC doing what it does, and a small portion doing the logfile centralization…
Suggestions?
Well, if you enable logall, OSSEC will have analyzed all of those and then you could use another program to parse out the ones you are interested in. This is a bit different than the method I describe in the post. but it works fine.