0

I am trying to set up IDS on a system composed of AWS Ubuntu 16.04 instances. My HIDS is managed by OSSEC 2.8.1 and my NIDS is managed by Snort 2.9.9.0 (parsed by Barnyard2 version 2.1.14, which also manages the Syslog forwarding).

On this instance (and others before it), when I set up OSSEC on the one hand and Snort/Barnyard2 on the other, I notice that OSSEC (which automatically is configured to use rsyslog for logging) works well by itself. Also, Snort/Barnyard2 works well when I put this line in barnyard2.conf and OSSEC is not running:

output alert_syslog: LOG_LOCAL5 LOG_ALERT

However, when both the HIDS and the NIDS are running/forwarding to Syslog my EC2 instance freezes and I have to restore the image to get it working again (even if I restart the instance I can't get back in). I've tried logging OSSEC and Snort/BY2 to different files, that hasn't worked. I've also tried setting up a disk-assisted memory queue, which also hasn't worked. I really need to set this up and I can't just choose between one and the other.

I have added this file to /etc/rsyslog.d:

$template GRAYLOGRFC5424,"<%PRI%>%PROTOCOL-VERSION% %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n"

$ActionQueueType LinkedList
$ActionQueueFileName srvrfwd
$ActionResumeRetryCount -1
$ActionQueueSaveOnShutdown on

# For general Syslog info
*.* @@w.x.y.z:1514;GRAYLOGRFC5424

local5.alert /var/log/snort.log

local5.alert @@w.x.y.z:1515;GRAYLOGRFC5424

I should also mention that this file properly forwards Snort and other rsyslog data to the central logging server and that I've also been able to set up central logging for OSSEC, but on any given instance I cannot run OSSEC and Snort+Barnyard2+rsyslog forwarding at the same time.

Thanks in advance!

1 Answer 1

0

I don't use Barnyard2, only a vanilla snort. I log to a plain alert log file (not to syslog). I configure OSSEC to consume that file along other log files. OSSEC has a default extractor for a vanilla snort alert log similarly to other extractors.

Only OSSEC logs to rsyslog.

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .