Skip to main content

Big Data vs Easy Data: The WiKID OSSIM plugin

(0 comments)

Big data is all the hype right now, but what most companies need is not big data but easy data. The truth is that most average-sized organizations do not even monitor the logs that the collect. That's changing as log management and monitoring are required as part of PCI compliance. Enterprises need log management tools.

In this spirit, we have released a WiKID plugin for OSSIM, Alienvault's opensource SIEM. It is very simple for now with only a few rules, but it will be easy to add more if there is interest.

The plugin consists of two files: http://www.wikidsystems.com/webdemo/WiKID.cfg and http://www.wikidsystems.com/webdemo/WiKID.sql .

Copy the first file to /etc/ossim/agent/plugins and the second to /usr/share/doc/ossim-mysql/contrib/plugins/WiKID.sql. Restart the ossim server and you should be good to go.

On the WiKID server, configure the logs to use syslog. You will need to edit the file /etc/WiKID/log4j.properties so it looks like this:

# Logging detail level,
# Must be one of ("trace", "debug", "info", "warn", "error", or "fatal").
#log4j.rootLogger=DEBUG, socketLogger

# comment the line above and uncomment the line below to use syslog
log4j.rootLogger=DEBUG, socketLogger, Syslog, A1 

# comment out the rootLogger above and uncomment the line below to output logs to the console
#log4j.rootLogger=DEBUG, socketLogger,  A1


log4j.appender.socketLogger=org.apache.log4j.net.SocketAppender
log4j.appender.socketLogger.RemoteHost=localhost
log4j.appender.socketLogger.Port=8300
log4j.appender.socketLogger.LocationInfo=true

# Uncomment the lines below if using syslog
log4j.appender.Syslog=org.apache.log4j.net.SyslogAppender
log4j.appender.Syslog.layout=org.apache.log4j.PatternLayout
log4j.appender.Syslog.layout.ConversionPattern=%-5p %c{2} [%t,%M:%L] %m%n
log4j.appender.Syslog.SyslogHost=
log4j.appender.Syslog.Facility=WiKID
log4j.appender.Syslog.FacilityPrinting=true

# A1 is set to be a ConsoleAppender.
log4j.appender.A1=org.apache.log4j.ConsoleAppender

# A1 uses PatternLayout.
log4j.appender.A1.layout=org.apache.log4j.PatternLayout
log4j.appender.A1.layout.ConversionPattern=%-4r [%t] %-5p %c %x - %m%n

Changing log4j.appender.Syslog.SyslogHost to your OSSIM server IP.

That's it. You can test it by logging in via radius and by using a bad password.   WiKID has always recognized that two-factor authentication is just part of a balanced, deep security program.  In order to work well, these pieces need to communicate.

If you would like to see other rules, please let us know!

Currently unrated

Comments

There are currently no comments

New Comment

required

required (not published)

optional

Recent Posts

Archive

2018
2017
2016
2015
2014
2013
2012
2011
2010
2009
2008

Categories

Tags

Authors

Feeds

RSS / Atom