Distro Selection for OSSEC



  • Re: OSSEC - Anyone tried it?

    I never saw in the thread referenced here what folks chose as their distro for running OSSEC. We're considering using it, but it looks like the virtual appliance they have is version 2.8.3 (updated in 2015 sometime) and runs CentOS 6.7. What distro do you / would you use to run OSSEC if you were deploying it today?

    Here's the link to the downloads page if anyone wants to read more on the various install packages available - https://ossec.github.io/downloads.html.


  • Service Provider

    Running 6.7 isn't a very secure way to go about things. That means that they are not patching... like more or less the most basic thing you do in security!!



  • Maybe they have abandoned the virtual appliance?


  • Service Provider

    Fedora 26 and CentOS 7 supported there.



  • @scottalanmiller said in Distro Selection for OSSEC:

    Running 6.7 isn't a very secure way to go about things. That means that they are not patching... like more or less the most basic thing you do in security!!

    Well, I think they just aren't patching the pre-built OVA. They have later releases of the OSSEC server version from what I saw. And if I were deploying it, I would just install the bits on my own Linux server rather than use the OVA.



  • @networknerd OSSEC is good, their OVA is not. Like everyone else has strongly hinted at, just don't use the OVA.



  • I know this is FOSS and that there are support options out there, but we do have license to vRealize Log Insight also, which would already fall under paid support through VMware. It certainly won't do the HID like OSSEC would, but we may end up partnering with a vendor like Arctic Wolf to do that part for us down the road. The jury is still out on that one.



  • @travisdh1 - did you install the web UI on your OSSEC server? It looks like that has not been updated since 2015, so it seemed like that would not be wise (although someone else shows they did it here. But it also looks like if you don't install the web UI you're basically managing all things via command line. The documentation is what I'd call less than stellar.

    To give some frame of reference, I was able to stand up a CentOS 7 minimal install and install OSSEC without much trouble. It's the configuration part that is a bit challenging. It looks like /var/ossec/etc/ossec.conf controls a great deal of the magic.



  • I usually use OSSIM but is from Alienvault, I don't usually engage with their vendors though so that's good.
    https://www.alienvault.com/products/ossim



  • @dbeato said in Distro Selection for OSSEC:

    I usually use OSSIM but is from Alienvault, I don't usually engage with their vendors though so that's good.
    https://www.alienvault.com/products/ossim

    Interesting. I love the fact that you have to enter your information to watch a webcast on the product. It seems like they have at least skinned up a decent web interface for management, however. How many endpoints are you monitoring with OSSIM? It looks like you only get to have a single OSSIM server in terms of deployment (not that this is super important for us) and that it does not do log management. But we do have Log Insight which could be used for that purpose.



  • @networknerd I am monitoring all ny network equipment which is about 30 devices (including firewalls, switches and backu appliances). 10 servers amd workstations (150). The system does do a log collection and has an APi for common threats that are alerted.

    Yes, the webcast was a pain so i just downloaded the iso only and worked my way. This was another suggestion but by all means OSSIM uses the OSSEC agent so you could go with OSSEC all the way.



  • @networknerd said in Distro Selection for OSSEC:

    @travisdh1 - did you install the web UI on your OSSEC server? It looks like that has not been updated since 2015, so it seemed like that would not be wise (although someone else shows they did it here. But it also looks like if you don't install the web UI you're basically managing all things via command line. The documentation is what I'd call less than stellar.

    To give some frame of reference, I was able to stand up a CentOS 7 minimal install and install OSSEC without much trouble. It's the configuration part that is a bit challenging. It looks like /var/ossec/etc/ossec.conf controls a great deal of the magic.

    Hrm, I haven't looked at the recent releases, apparently I should. I found that getting things setup via the web-ui wasn't so bad. The interface isn't the greatest, but I don't really care about a good looking interface, so long as the back end is being kept up to date.



  • After hearing the session on open source security tools at Spiceworld, I am going to give Wazuh a shot and do a POC of it vs. OSSEC. From what I have read, Wazuh is essentially OSSEC on steroids.



  • We decided to stick with Wazuh. It runs on CentOS 7 and has a shiny OVA we used to deploy it. So for the purposes of this thread, we have our distro selected. Thanks everyone for the help.