OSSEC and VMware
Welcome to version 1 of the howto install ossec with VMware.
About OSSEC (www.ossec.net)
OSSEC is a free to use piece of software developed by Trend Micro. It allows easy collection of logfiles from multiple servers (like ESX, ESXi, vCenter, View, etc) in a single database and analyze this to generate hopefully useful alerts.
Why use OSSEC?
- If you are like me running ESXi with no local storage, you will find that all logging is done in just temporary space. This means that if your ESXi server reboots, all you log files are gone. So having central logging will give you persistent logging (you can also place your esx log files on persistent file system)
- vCenter does have alerts, but those are mainly focused on the well functioning of the environment, not based on security. For instance if anyone is doing a brute-force attack against your ESX(i) or VC host, you would not know at all and vCenter would certainly not be telling you. Using OSSEC this is being logged and even when it notices multiple wrong login entries in a short period of time even escalate the alarm and email you.
- If you ever experienced something going bad on your VMware environment that vCenter did not alert you about, you can make a new rule in OSSEC to monitor for that particular scenario (if of course vCenter did not have a build-in alarm to do so).
Creating the OSSEC Server
- Install Ubuntu 10.10-i386 server (http://www.ubuntu.com/business/get-ubuntu/download)
- During install select [ x] LAMP Server
- Give user root a password: Sudo passwd
- Login as root
- Install ssh: apt-get install ssh
- Now we can login using ssh, which works much better than the console
- Let’s install vmware tools
- Mount the VMware tools cd, by selecting ‘install vmware tools’ in your vSphere Client
- Make the cd available in unbuntu by: mount /dev/cdrom /media/cdrom
- Copy the vmware tools file to you home dir: cp /media/cdrom/VMwareTools-8.4.5-324285.tar.gz ~/.
- Unzip the file: tar zxvf VMwareTools-8.4.5-324285.tar.gz
- Install vmware tools: ./vmware-tools-distrib/vmware-install.pl
- Just hit many times enter and accept all the default values
- Download ossec:
- Unzip ossec: tar zxvf ossec-hids-latest.tar.gz
- Before we install ossec, we want to recomple it, so it will support databases.
- Install mysql dev libraries: apt-get install libmysqlclient-dev
- Go into the ossec-hids-2.5.1/src directory
- Run: make setdb
- It should say : “info: Compiled with MySql support”
- Go back one directory
- Install ossec by: ./install.sh
- Choose kind of installation: server
- Accept all other defaults (and make sure you leave the defaut [y] for enable remote syslog
- Let’s create a database in mysql and useraccount:
- Run mysql (or mysql –p if you set a password for the root account on mysql)
- Create a database: create database ossec;
- Create useracount; create user ‘ossecuser’@’localhost’ identified by ‘password_you_want_to_use’;
- Set privileges: grant all privileges on ossec.* to ‘ossecuser’@'localhost’;
- Exit out of mysql by typing: exit
- Get the mysql schema: wget http://www.ossec.net/files/other/mysql.schema
- Add the schema to the database: mysql -p ossec < mysql.schema
- We now can configure ossec to use mysql. Edit the ossec conf file: nano /var/ossec/etc/ossec.conf
- After </global> add:
- Save the file by pressing control-X
- Run the command: /var/ossec/bin/ossec-control enable database
- Restart ossec: /var/ossec/bin/ossec-control restart
If things went well the database loggin should no be started. You can check this with the command: grep ossec-dbd /var/ossec/logs/ossec.log
It should return:
ossec-dbd: Connected to database ‘ossec’ at ’127.0.0.1′.
ossec-dbd: INFO: Started (pid: 9721).
- Let’s disable “active-response”. Ossec can execute commands based on certain alarms. I found with using ‘agentless remote syslog’, that this does not work. When an ESX server is attacked, it will block traffic of the Ossec server, not the actual ESX server.
- To disable active response, edit the file /var/ossec/etc/ossec.con
- Find the section “<active-response>”
- Add within the <active-response> segment the following line:
[Optionally] If you want to manage the database easily, you can install phpmyadmin.
- run the command: apt-get install phpmyadmin
- Select [x] apache2 during this install
- After the install you can browse to: http://your_ip/phpmyadmin
- If you do use phpmyadmin, you will need to add a rule into ossec, else ossec will see phpmyadmin activity as a we threat. To ignore this, edit the file /var/ossec/rules/local_rules.xml and add this session:
<rule id=”100013″ level=”0″>
<description>Ignoring phpMyAdmin events.</description>
Configuring remote syslog on your esxi servers
- Click on the esx host in your VC client and select the ‘configuration’ tab.
- Click on ‘advanced settings’
- Click on ‘syslog’
- Type in the ip address (or dns) of your ossec server in the ‘Syslog.Remote.Hostname’ field
- On the ossec server you need to whitelist the ip addresses for remote syslogging from the esx host. Edit the /var/ossec/etc/ossec.conf file and to to the section:
<allowed-ips>ip address of your esx host1</allowed-ips>
<allowed-ips>ip address of your esx host2</allowed-ips>
- Restart the ossec service by running: /var/ossec/bin/ossec-control restart
Modifying the default rules (needed is you run ESXi 4.1):
- You probably want to disable a basic rule 1002, which can be found in /var/ossec/rules/syslog_rules.xml
Find rule 1002 and remark it our, so it is not active. This rule generates too many alerts as vmware’s server log a lot of information which often is seen as alerts because of this rule
- If you are running ESXi 4.1 like me you need to modify the current VMware decoder as it is not decoding VMware messages correctly due a change in the logging format. Edit the file (with nano) /var/ossec/etc/decoder.xml
- Scroll down to the VMware section (or press control-W and enter vmware)
- Change the first 2 segments to:
<prematch>^[\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d.\d\d\d \w+ </prematch>
- As an ESX host seriously likes to log a lot, I would recommend tuning down all the warning messages. Else you will see a lot of rule 19104 alerts coming by. Edit /var/ossec/rules/vmware_rules.xml
Find rule 19104 and change the level 3 to level 0
Installing Ossec on your vCenter server and View Servers
Ossec comes with an windows agents that can also collect eventlog details and translate them to the syslog format, so they all can get stored in the same database and be processed for alerts.
- Before we install the agent, we need to create per agent an Authentication Key. This can be done on the ossec server by running the command: /var/ossec/bin/manage_agents
- Select option (A) to add an agent
- Give a name for the agent (for instance ‘vCenterServer’)
- Provide the IP of the agent
- Accept the default generated ID
- And confirm the adding action
- Now select (E) to get the authentication key of the newly added agent
- Provide the agent ID (like 001) and the key will be displayed.
- Restart ossec by running the command: /var/ossec/bin/ossec-control restart
- Download the ossec agent at: http://www.ossec.net/main/downloads/
- Run the installer on your vCenter server and/or View Servers
- After the installer, a program called the “ossec Agent Manager” will launch
- Enter the Ossec Server IP
- Enter the authentication key from the previous step
- Save the information and click on the ‘Manage’ menu and Start OSSEC
Monitoring the alerts
- A simple way to monitor the alerts on the ossec server is with the command:
tail –f –n 100 /var/ossec/log/alerts/alerts.log
- You can also see all the alerts in my sql using the phpmyadmin tool.
- The next step would be of course is to create a cool web page that shows you the different alerts of the various levels. Ossec does also already have a web interface, you can download it on http://www.ossec.net/main/downloads/ and install it on the ossec server.
Next Steps / Need your help!
- Ossec works best with a really good set of rules! So let’s share each other experiences so we can jointly create the ultimate VMware (Supporting ESX, ESXi, vCenter, View, etc) rule set.
- Please provide any feedback to firstname.lastname@example.org and I will post updated vmware rule sets on www.run-virtual.com