For a while, I was looking for a good solution to display my OSSEC server status in (near) real time. For most of us, the classic log file monitoring tool still remains based on the “tail | grep | awk | less” commands. If it catches perfectly the events you are looking for, you can miss very important events. OSSEC has its own WebUI but it is quite old (the latest release was released in 2008) and, event if it comes with lot of interesting features, it does not match my main requirement: to have a unique dashboard with relevant live information about my OSSEC infrastructure.
Designing a dashboard is not an easy task! I always remember my statistics professor who said that numbers can be manipulated. It is always possible to express quantitative results in different ways. How to make your dashboard relevant? This topic was also discussed by Wim Remes during the latest BlackHat Europe in Barcelona. I don’t pretend to have the best dashboard ever. Even more, I’m not a developer. Here is my current dashboard:
Current features are:
- Configurable time windows (30 mins, 1 hour, 3 hours, …).
- Auto-refresh (to be displayed on a standalone screen or beamer).
- Based on Portlets which can be organized, minimized (and restored!) as you want.
- Some graphical indicators (because a picture is worth a thousand words!).
First, I needed to find a good interface as I don’t have the knowledge to build my own. I looked for cool examples based on jQuery and found this one. Why reinvent the wheel? The link with the OSSEC server is performed via the DB output module. OSSEC will write all the required information into its database. Each portlet make its own connection to the database to execute SQL queries and display the results. The following portlets are available at the moment (all of them based on the selected time period):
- Top-10 Alerts : Reports the 10 most reported alerts.
- Top-10 Suspicious: Reports the 10 less reported alerts (can be usefull to detect activities occuring “below the radar“).
- Top-10 Agents: Reports the agents/log files which generated the most important amount of alerts.
- Top-10 Attackers: Reports the IP addresses which generate the most important amount of alerts (click on the IP address to perform a Whois request).
- Top-10 Locations: Perform geo-localization on attackers IP and reports the most suspicious countries
- Events Timeline : Display the number of alerts generated for the last ten period of times
- Trend Level: Display the current average alert level and, based on the previous interval of time and a trend represented by a colored arrow.
The next step will be to implement:
- A caching system to increase the performances.
- A search engine to search across the alerts based on regular expressions.
Any other idea is welcome! The installation is pretty straight forward. Configure your OSSEC server with database support then installed the PHP code o a LAMP server which can access the OSSEC MySQL database. The code is available here. Feel free to re-use it and contribute.