Overview
OSSEC is an open source, host based intrusion detection system. It performs log analysis, integrity checking, Windows registry monitoring, rootkit detection, real-time alerting and active response. It helps to monitor and manage security events across various IT infrastructures.
This integration ingests the following types of logs:
- FTPD
- Firewall
- System
- Syslog
- SSHD
- PAM
- Windows
- Web access
Visualize detailed insights into these logs through the out-of-the-box dashboards.
Setup
Installation
To install the OSSEC Security integration, run the following Agent installation command and the steps below. For more information, see the Integration Management documentation.
Note: This step is not necessary for Agent version >= 7.57.0.
Linux command
sudo -u dd-agent -- datadog-agent integration install datadog-ossec_security==1.0.0
Configuration
Logs collection
Collecting logs is disabled by default in the Datadog Agent. Enable it in datadog.yaml
:
Add this configuration block to your ossec_security.d/conf.yaml
file to start collecting your logs.
Use the UDP method to collect the OSSEC alerts data.
See the sample ossec_security.d/conf.yaml for available configuration options.
logs:
- type: udp
port: <PORT>
source: ossec-security
service: ossec-security
Note: It is recommended not to change the service and source values, as these parameters are integral to the pipeline’s operation.
Restart the Agent.
Add following configuration in /var/ossec/etc/ossec.conf
.
In this example, all alerts are sent to 1.1.1.1 on port 8080 in JSON format.
<syslog_output>
<server>1.1.1.1</server>
<port>8080</port>
<format>json</format>
</syslog_output>
Note: Using JSON format is required, since OSSEC Security pipeline parses JSON formatted logs only.
Enable client-syslog process:
/var/ossec/bin/ossec-control enable client-syslog
Restart the OSSEC service:
/var/ossec/bin/ossec-control restart
Enable firewall logs collection (optional):
OSSEC server does not forward the firewall alert logs by default. To forward firewall alert logs via OSSEC server, follow the steps below.
Locate the firewall_rules.xml
file at /var/ossec/rules/firewall_rules.xml
.
Edit firewall_rules.xml
to remove all the occurrences of the below line from the file:
<options>no_log</options>
- Restart your OSSEC server:
/var/ossec/bin/ossec-control restart
Specify a time zone other than UTC in the OSSEC Security Datadog log pipeline
Datadog expects all logs to be in the UTC time zone by default. If the timezone of your OSSEC logs is not UTC, specify the correct time zone in the OSSEC Security Datadog pipeline.
To change the time zone in OSSEC Security pipeline:
Navigate to the Pipelines page in the Datadog app.
Enter “OSSEC Security” in the Filter Pipelines search box.
Hover over the OSSEC Security pipeline and click on the clone button. This will create an editable clone of the OSSEC Security pipeline.
Edit the Grok Parser using the below steps:
- In the cloned pipeline, find a processor with the name “Grok Parser: Parsing OSSEC alerts” and click on the
Edit
button by hovering over the pipeline. - Under Define parsing rules,,
- Change the string
UTC
to the TZ identifier of the time zone of your OSSEC server. For example, if your timezone is IST, you would change the value toAsia/Calcutta
.
- Click the update button.
Validation
Run the Agent’s status subcommand and look for ossec_security
under the Checks section.
Data Collected
Log
Format | Event Types |
---|
JSON | syslog, sshd, pam, ossec, windows, firewall, ftpd, web_access |
Metrics
The OSSEC Security integration does not include any metrics.
Events
The OSSEC Security integration does not include any events.
Service Checks
The OSSEC Security integration does not include any service checks.
Troubleshooting
Permission denied while port binding:
If you see a Permission denied error while port binding in the Agent logs:
Binding to a port number under 1024 requires elevated permissions. Grant access to the port using the setcap
command:
sudo setcap CAP_NET_BIND_SERVICE=+ep /opt/datadog-agent/bin/agent/agent
Verify the setup is correct by running the getcap
command:
sudo getcap /opt/datadog-agent/bin/agent/agent
With the expected output:
/opt/datadog-agent/bin/agent/agent = cap_net_bind_service+ep
Note: Re-run this setcap
command every time you upgrade the Agent.
Restart the Agent.
Data is not being collected:
Make sure that traffic is bypassed from the configured port if the firewall is enabled.
Port already in use:
If you see the Port <PORT_NUMBER> Already in Use error, see the following instructions. The example below is for port 514:
On systems using Syslog, if the Agent listens for OSSEC logs on port 514, the following error can appear in the Agent logs: Can't start UDP forwarder on port 514: listen udp :514: bind: address already in use
. This error occurs because by default, Syslog listens on port 514. To resolve this error, take one of the following steps:
- Disable Syslog.
- Configure the Agent to listen on a different, available port.
For further assistance, contact Datadog support.