SBM Labs

Cyber Security Collaboration Project

Centralized logs collection and analysis. Elasticsearch integration with correlation engine.
28 Apr 2015

We have discussed Elasticsearch cluster configuration in the last article. Let's review how to perform Elasticsearch integration with correlation engine.

We will set tag "corr" for critical events and send them to correlation engine. We will use Syslog protocol and OSSEC correlation engine for this task.

We have configured collection of Linux security log earlier. Now we are going to add in Logstash configuration file /etc/logstash/conf.d/custom.conf section "Filter" in order to set tag "corr" for critical events by condition.

filter {
grok {
match => ["message", "Failed password for invalid user .* from .* port .* ssh2"]
add_tag => [ "corr" ]
}
}

In order to forward events with tag "corr" to correlation engine we need to add the following section to Logstash "Output" configuration.

if "corr" in [tags] {
syslog {
host => "ossec"
port => 514
facility => "security/authorization"
severity => "alert"
sourcehost => "%{logsource}"
appname => "%{program}"
procid => "%{pid}"
}
}

Then we need to install logstash-output-syslog plugin.

# cd /opt/logstash/bin/
# ./plugin install --no-verify logstash-output-syslog

After it we should restart Logstash in order to apply new settings.

# /etc/init.d/logstash restart

We will see events with tag "corr" in Kibana web interface if our configuration is right.

In the next article we will review several useful tricks for Elasticsearch index management.

Centralized logs collection and analysis. Elasticsearch indices management.
Centralized logs collection and analysis. Elasticsearch cluster configuration.
Centralized logs collection and analysis. Elasticsearch, Logstash and Kibana. Introduction.
OSSEC. Use Cases.
OSSEC. Introduction.