- About the Author
- About the Technical Editor
- Credits
- Acknowledgments
- Foreword
- Introduction
- CHAPTER 1 Fundamental Networking and Security Tools
- CHAPTER 2 Troubleshooting Microsoft Windows
- CHAPTER 3 Nmap—The Network Mapper
- CHAPTER 4 Vulnerability Management
- CHAPTER 5 Monitoring with OSSEC
- CHAPTER 6 Protecting Wireless Communication
- CHAPTER 7 Wireshark
- CHAPTER 8 Access Management
- CHAPTER 9 Managing Logs
- CHAPTER 10 Metasploit
- CHAPTER 11 Web Application Security
- CHAPTER 12 Patch and Configuration Management
- CHAPTER 13 Securing OSI Layer 8
- CHAPTER 14 Kali Linux
- CHAPTER 15 CISv7 Controls and Best Practices
Log Analysis
Now that you have your agents gathering logs and bringing them into your OSSEC server, it is time for decoding, inspecting, filtering, classifying, and analyzing. The goal of LIDS is to find any attacks, misuse, or errors that systems are generating using the logs.
Logs are monitored in real time by the manager. By default, log messages from host agents are not retained. Once analyzed, OSSEC deletes these logs unless the <logall> option is included in the OSSEC manager's ossec.conf file. If this option is enabled, OSSEC stores the incoming logs from agents in a text file that is rotated daily. The resources used by the agent are minimal, but the resources used by the manager can fluctuate depending on the events per second (EPS). There are two major ways you can analyze your logs: either by the processes that are running or by the files you are monitoring.
When you are monitoring processes on an asset with OSSEC, the logs that are generated are parsed with the rules contained within the database. Even if some information is not readily available in the logs, OSSEC can still monitor it by examining the output of commands and treating the output as if it was a log file. File log monitoring will monitor log files for new events. When a new log arrives, it forwards the log for processing and decoding.
Configuring a log to be monitored can be pretty easy if you are familiar with Extensible Markup Language (XML). XML is a programming markup language that defines a set of rules used to make a document that is both human readable and machine readable. The design of XML makes it simple and applicable in many scenarios. All you have to do is provide the name of the file to be monitored and the format of the log. For example, the XML may look like this:
<localfile><location>/var/log/messages</location><log_format>syslog</log_format></localfile>
On a virtual machine, you will have the ability to display the dashboard, visualizations, and searches; query the logs; and filter the raw data as well as use data stores for other indexing, as you see in Figure 5.8 .
Figure 5.8 : Kibana dashboard
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论