Symposium Presentations Available / The Future of OSSEC

Trend did a great job of outlining our plan for OSSEC in this post. They begin by describing the Symposium, just as I did in my previous post, then go on to lay out a detailed plan for the future. A key theme is making OSSEC easier to use and more relevant for everyone. How do we get to this future? Well, that depends a lot on the amount of help we can get from the very talented members of the community. Remember, OSSEC is a volunteer community project and we welcome the assistance of anyone who wants to pitch in.

They are also hosting my presentations if you care to have a look. You probably won’t get as much out of them as you would have at the Symposium, since my slides tend to be simple, but the general ideas are there.

Day 1 details my experiences applying OSSEC over the last several years and can be found here.

Day 2 outlines what I think OSSEC can be–an extension of the great community that already exists. Access it here.

Ready to pitch in? Let us know…

Posted in Log Analysis, Log Management Tagged with:
3 comments on “Symposium Presentations Available / The Future of OSSEC
  1. Hi Michael,
    Many thanks for the slides, nice to see what I missed.

    I am involved with a project called AnaLogi and we have just released v1.2

    Due to your interest in OSSEC I though this may be of interest to you. I have included a brief layout of changes from 1.1 to 1.2 beneath.

    If you have any feedback please do not hesitate to get in touch.

    Kind Regards
    Andy

    New Features
    ————–
    Connection Diagnostics for when Analogi does not have any data for the graphs (it tests mysql php module, connection to server, mysql schema, database content).

    Group Category filtering added to main page (sshd, arpwatch, windows etc)

    New page ‘NewsFeed’ providing:
    * ‘Threat Feed’ gives a listing of alerts based upon alert time and threat level
    * ‘Trend Analysis’ compares the previous time block against previous weeks to see which alert/systems are experience the greatest change from base line

    New page ‘Management’ for managing and running the SQL database providing:
    * Last agent check in report to highlight which agents have stopped reporting in
    * List of the biggest alert/system combinations
    * Database size and Database row count
    * Report on which agents are using the most disk space with a per level breakdown
    * Historical report on database data
    * ….All of which help feed into the last section, the Database Clean up filter for deleting superfluous data

    Auto Div scaling on front page ensures that an excess of graph lines does not impede the visuals

    Customisable auto-highlighing of keywords on detail.php

    Fix/Improved
    ————–
    Faster SQL
    Hover text for front page
    Improved consistency between index.php and detail.php
    Radio button selection on index.php
    ‘Top Rare’ warning when not enough data
    Relative link to images for detail.php
    Hard links added to header
    Lots more

  2. josh says:

    Hey Mike,
    I think the slides are very well done. Have you continued to use ELSA? I am still interested in this app and lately have committed to graylog2 with elasticsearch for general log collection – I am actually pushing my OSSEC info to it as well.

    I have a couple of questions, I may have missed one of the answers in a previous post:

    1. Where did the OSSEC symposium take place?
    2. Do you do any coding and if so what language do you prefer?

    • Hello Josh,

      Thanks for your kind words. Yes, I am still using ELSA. It has been a bit of a bumpy ride at times but it just keeps getting better and better. Martin, the developer, is quick to respond to problems and feature requests. I think it made a pretty big leap forward with the latest feature: dashboards. I also added OSSEC support into ELSA so it can understand OSSEC syslog output.

      As to your questions:

      1. The symposium took place at the Trend Micro HQ in Cupertino, CA.
      2. I don’t code in C. I don’t really consider myself competent enough yet to develop unassisted. But I am starting to dip my toes into the waters when I can and add some features. For example, I just added integrity checksums to the syslog alerts so we can do some interesting stuff with them like look up the checksum using a VirusTotal API. Mostly, I work on rules, decoders, installers, etc.

      We’re always looking for contributions, so if you have something to share, please let us know.

      Take care,
      Mike

Leave a Reply

Your email address will not be published. Required fields are marked *

*