Shulou(Shulou.com)06/01 Report--

Brief introduction of Ossec

Ossec is a very strong host IDS (hids), which can help us analyze logs, check file integrity, check rootkit and be able to alarm and respond actively in real time. In addition, ossec supports almost all mainstream operating systems, because it is open source, so we can do secondary development on ossec to integrate with some of our existing systems, such as zabbix,cacti. Its working mode is divided into two modes: C _ pact S mode and local mode. Local mode can be installed on a separate machine. This article will introduce the Cramp S model, which is most suitable for production environments.

Advantages of Ossec

Open source

Cross platform

Support clientless mode

Compliance requirement

Real-time and configurable alerts

Centralized management

Wait

Main functions of Ossec

Log analysis

File integrity check (UNIX and Windows)

Rootkit detection

Windows registry monitoring

Rootkit Detection based on UNIX

Real-time alarm and active response

Check disk space and system load

Detect host port changes

Nmap is supported to check port opening and changes.

You can detect domain name changes.

Wait

Installed by default in / var/ossec/

The main configuration file is in / var/ossec/etc/ossec.conf

* * stored in / var/ossec/etc/decoders.xml

Binaries / var/ossec/bin/

All the rules are in / var/ossec/rules/*.xml

Alerts are stored in / var/ossec/logs/alerts.log

Controlled by multiple processes (all controls through ossec-control)

Processes of the Ossec Server server

[root@localhost ~] # ps-ef | grep ossec

Ossecm 5505 1 0 13:21? 00:00:00 / var/ossec/bin/ossec-dbd

Ossecm 5510 10 13:21? 00:00:00 / var/ossec/bin/ossec-maild

Root 5512 1 0 13:21? 00:00:00 / var/ossec/bin/ossec-execd

Ossec 5518 1 0 13:21? 00:00:12 / var/ossec/bin/ossec-analysisd

Root 5522 1 0 13:21? 00:00:00 / var/ossec/bin/ossec-logcollector

Ossecr 5526 1 0 13:21? 00:00:00 / var/ossec/bin/ossec-remoted

Ossecr 5527 1 0 13:21? 00:00:01 / var/ossec/bin/ossec-remoted

Root 5534 1 0 13:21? 00:00:18 / var/ossec/bin/ossec-syscheckd

Ossec 5536 1 0 13:21? 00:00:00 / var/ossec/bin/ossec-monitord

[root@localhost ~] # / var/ossec/bin/ossec-control status

Ossec-monitord is running...

Ossec-logcollector is running...

Ossec-remoted is running...

Ossec-syscheckd is running...

Ossec-analysisd is running...

Ossec-maild is running...

Ossec-execd is running...

Ossec-dbd is running...

Tasks for each process

Analysisd-do all the analysis (main program)

Remoted-receives remote logs from the agent

Logcollector-read log files (syslog, flat files, Windows event logs, IIS, etc.)

Agentd-forward log server

Maild-send email alert

Execd-perform a positive response

Monitord-Monitor agent status, compressed and flagged log files, etc.

Ossec-control manages to start and stop all of them

Ossec local: general log fault analysis process

Log collection is done by ossec-logcollector

Analysis and decoding is done through ossec-analysisd

The alarm is done through ossec-maild.

Positive response is done by ossec-execd

Client/server: a general log analysis process for client / server architecture

Log collection is done by ossec-logcollector

Analysis and decoding is done through ossec-analysisd

The alarm is done through ossec-maild.

Positive response is done by ossec-execd

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.