2

I have been tasked to harden our company linux servers. One of the problems that was outlined was the fact that logs are stored on the server which poses two problems:

  1. Difficult to aggregate and diagnose problems
  2. Not very secure, if a server is compromised then the logs could be removed or manipulated.

To address both problems the plan is to forward all logs generated by the production environment to a secure centralised logging server.

I am going to use OSSEC HIPS for intrusion detection. From what I have gathered OSSEC coagulates logs from its nodes thereby providing both centralisation of the logs and IDS monitoring; effectively hitting two birds with one stone.

What I would like to know is whether I should use additional tools to forward and store logs like rsyslog or whether that is overkill and OSSEC will be sufficient to retain all logs for X amount of time on the central log server.

2 Answers 2

0

Not an overkill. Sending syslog to another host (as rsyslogd can do) is a very good practice.

OSSEC agent is valuable, but not for syslog forwarding. OSSEC only stores the specific errors that it finds interesting. For a post-mortem analysis, you need more, you need the complete logs.

Use OSSEC agent because it offers monitoring the binaries modification, rootkit detection, and fail2ban-like functionality (aka active-response).

-1

OSSEC does a lot more than rsyslog. I'd saying setting up rsyslog or syslog-ng to send log events off site (or at least to a server that's hard to get to once an attacker has compromised your server) real-time would be the first thing to do. It's really quite simple to setup. Follow that up with setting up a HIDS solution. OSSEC does a loooooot more than log aggregation.

Here's a list of OSSEC's features: http://ossec-docs.readthedocs.org/en/latest/manual/non-technical-overview.html I'm looking into OSSEC now. Have looked at Stealth file integrity checker which initially looked very good, as nothing gets installed on the client and in-fact there is virtually no trace on the client that it's being monitored. There are a few downsides to Stealth though which quickly become apparent. I'm writing a blog post around all this currently, so yell out if you need some more help. I'll be posting to http://blog.binarymist.net

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .