OSSEC is an open source, host based intrusion detection system. It performs log analysis, integrity checking, Windows registry monitoring, rootkit detection, real-time alerting and active response. It helps to monitor and manage security events across various IT infrastructures.
This integration ingests the following types of logs:
FTPD
Firewall
System
Syslog
SSHD
PAM
Windows
Web access
Visualize detailed insights into these logs through the out-of-the-box dashboards.
To install the OSSEC Security integration, run the following Agent installation command and the steps below. For more information, see the Integration Management documentation.
Note: This step is not necessary for Agent version >= 7.57.0.
Datadog expects all logs to be in the UTC time zone by default. If the timezone of your OSSEC logs is not UTC, specify the correct time zone in the OSSEC Security Datadog pipeline.
To change the time zone in OSSEC Security pipeline:
Enter “OSSEC Security” in the Filter Pipelines search box.
Hover over the OSSEC Security pipeline and click on the clone button. This will create an editable clone of the OSSEC Security pipeline.
Edit the Grok Parser using the below steps:
In the cloned pipeline, find a processor with the name “Grok Parser: Parsing OSSEC alerts” and click on the Edit button by hovering over the pipeline.
Under Define parsing rules,,
Change the string UTC to the TZ identifier of the time zone of your OSSEC server. For example, if your timezone is IST, you would change the value toAsia/Calcutta.
Make sure that traffic is bypassed from the configured port if the firewall is enabled.
Port already in use:
If you see the Port <PORT_NUMBER> Already in Use error, see the following instructions. The example below is for port 514:
On systems using Syslog, if the Agent listens for OSSEC logs on port 514, the following error can appear in the Agent logs: Can't start UDP forwarder on port 514: listen udp :514: bind: address already in use. This error occurs because by default, Syslog listens on port 514. To resolve this error, take one of the following steps:
Disable Syslog.
Configure the Agent to listen on a different, available port.