Manual: Log analysis

Manual -> Log Analysis

 

Log Analysis (or log inspection) is done inside OSSEC by the logcollector and analysisd processes. The first one collects the events and the second one analyzes (decodes, filters and classify) them.

It is done in real time, so as soon as an event is written, OSSEC will process them. OSSEC can read events from internal log files, from the Windows event log and also receive them directly via remote syslog.

  1. What is log analysis?
  2. Quick facts
  3. Configuration options
  4. Configuration examples
  5. Microsoft IIS configuration
  6. FAQ

What is log analysis?

Inside OSSEC we call log analysis as LIDS (log-based intrusion detection). Our goal is to detect attacks, misuse or system errors using the logs.

LIDS – Log-based intrusion detection or security log analysis are the processes or techniques used to detect attacks on a specific network, system or application using logs as the primary source of information. It is also very useful to detect software misuse, policy violations and other forms of inappropriate activities.

Quick facts

  • How often? In real time.
  • Where are the events analyzed? In the manager.
  • How long are they stored? For as long as your policy dictates (it is user configurable).
  • Where it helps me with compliance? (PCI DSS, etc) It helps with the whole section 10 (log monitoring) of PCI.
  • How much CPU it uses? On the agent, it uses very little CPU/memory since it just read the events. On the manager, it depends on the number of EPS.
  • How it deals with false positives? False positives can be eliminated using local rules.

Configuration options

To read/collect the events:
These options should be specified locally on each agent ossec.conf file. Inside the “localfile” element, you can have the following options (example at localfile_examples.xml):

Table 3.6: Localfile options
Option Default value Allowed values Description
location multiple (eg /var/log/messages) Any log file Specify the location of the log to be read.
log_format multiple (eg syslog) syslog, snort-full, snort-fast, squid, iis, eventlog, mysql_log, postgresql_log, nmapg or apache The format of the log being read. If the log has one entry per line, use “syslog”.

To analyze the events:
For all the options to analyze the events, please visit here.

Configuration examples


Configuring log analysis is very simple. You just need to provide the name of the file to be monitored and the format:

<localfile>
<location>/var/log/messages</location>
<log_format>syslog</log_format>
</localfile>

To monitor a Windows event log entry, you need to provide the format as “eventlog” and the location as the name of the event log. Example:

<localfile>
<location>Security</location>
<log_format>eventlog</log_format>
</localfile>

To check multiple files, we support posix regular expressions to make the job easier. For example, to analyze every file that ends with a .log inside the /var/log directory, do:

<localfile>
<location>/var/log/*.log</location>
<log_format>syslog</log_format>
</localfile>

For log files that change according to the day, you can also specify a strftime format to replace the day, month, year, etc. For example, to monitor the log C:\Windows\app\log-08-12-15.log, where 08 is the year, 12 is the month and 15 the day (and it is rolled over every day), do:

<localfile>
<location>C:\Windows\app\log-%y-%m-%d.log</location>
<log_format>syslog</log_format>
</localfile>

Configuration for IIS logs

Support for IIS (5 and 6) is available for the NCSA format (web only) and the W3C extended format (for Web, FTP and SMTP). By default, the installation scripts will attempt to configure OSSEC to monitor the first virtual hosts for web (W3SVC1 to W3SVC254), ftp (MSFTPSVC1 to MSFTPSVC254) and smtp (SMTPSVC1 to SMTPSVC254). To monitor any other file you need to add a new entry manually.

In addition to that, make sure to set the log time period to daily and using the local time for file naming and rollover. In the extended logging properties, configure it to log the Date, Time and all the extended properties.

Look at the following snapshots for IIS 5 examples: snap1, snap2, snap3 and snap4.
(Thanks to Rick McClinton for the snapshots and testing).

The following are snapshots for IIS 6: snap1, snap2, snap3, snap4. (Thanks to Dale Neufeld for the snapshots).

The following is an example of configuration to monitor the virtual server 2 of IIS web:

      <localfile>
        <location>%WinDir%\\System32\\LogFiles\\W3SVC3\\ex%y%m%d.log</location>
        <log_format>iis</log_format>
      </localfile>

    Note that:
        %y - means currently year
        %m - means currently month
        %d - means currently day