For a while, I was looking for a good solution to display my OSSEC server status in (near) real time. For most of us, the classic log file monitoring tool still remains based on the “tail | grep | awk | less” commands. If it catches perfectly the events you are looking for, you can miss very important events. OSSEC has its own WebUI but it is quite old (the latest release was released in 2008) and, event if it comes with lot of interesting features, it does not match my main requirement: to have a unique dashboard with relevant live information about my OSSEC infrastructure.
Designing a dashboard is not an easy task! I always remember my statistics professor who said that numbers can be manipulated. It is always possible to express quantitative results in different ways. How to make your dashboard relevant? This topic was also discussed by Wim Remes duringÂ the latest BlackHat Europe in Barcelona. I don’t pretend to have the best dashboard ever. Even more, I’m not a developer. Here is my current dashboard:
Current features are:
- Configurable time windows (30 mins, 1 hour, 3 hours, …).
- Auto-refresh (to be displayed on a standalone screen or beamer).
- Based on Portlets which can be organized, minimized (and restored!) as you want.
- Some graphical indicators (because a picture is worth a thousand words!).
First, I needed to find a good interface as I don’t have the knowledge to build my own. I looked for cool examples based on jQuery and found this one. Why reinvent the wheel? The link with the OSSEC server is performed via the DB output module. OSSEC will write all the required information into its database. Each portlet make its own connection to the database to execute SQL queries and display the results. The following portlets are available at the moment (all of them based on the selected time period):
- Top-10 Alerts : Reports the 10 most reported alerts.
- Top-10 Suspicious: Reports the 10 less reported alerts (can be usefull to detect activities occuring “below the radar“).
- Top-10 Agents: Reports the agents/log files which generated the most important amount of alerts.
- Top-10 Attackers: Reports the IP addresses which generate the most important amount of alerts (click on the IP address to perform a Whois request).
- Top-10 Locations: Perform geo-localization on attackers IP and reports the most suspicious countries
- Events Timeline : Display the number of alerts generated for the last ten period of times
- Trend Level: Display the current average alert level and, based on the previous interval of time andÂ a trend represented by a colored arrow.
The next step will be to implement:
- A caching system to increase the performances.
- A search engine to search across the alerts based on regular expressions.
Any other idea is welcome! The installation is pretty straight forward. Configure your OSSEC server with database support then installed the PHP code o a LAMP server which can access the OSSEC MySQL database. The code is available here. Feel free to re-use it and contribute.
to Derek, Nicole: I had same problem and I fixed it. I have to replace “<?" with "<?php" in all "*.inc" and "*.php" files on all occurences within ossec_dashboard code. In my environment that tag "<?" was not interpreted as beginning of php script, but instead it was interprete as text. I am using apache on centos.
Configure your OSSEC server with database support
Nicole I had the same issue. No fix yet. Anyone else out there fix?
This is a great tool – but I too am having implementation issues. DB connection is made and verified, but portlets are empty.. Just wondering how others have dealt with this for debugging and working with it.
Everything seems to be set right and the DB function is working but the portlets arent showing anything that the db_query is grabbing. What am I missing??
Great stuff, I was wondering have you tried to contact OSSEC-wui team and try to implement this into mainstream wui package?
Good work ! I was looking for a stuff like that. I’ll take at it soon.
Did this make it out of Alpha yet?
yes, i configure OSSEC with DB support and insert the credentials in the config file (settings.inc).
First of all, did you configured your OSSEC with DB support? Did you fixed the credentials in the config file?
I’ve configured the dashboard to work with Ubuntu (11.04) – Ossec installed as Local – but as soon as I access to index.php on my machine all the values in portlets are null (e.g 0), even refreshing the page.
What I missed?
Thank you very much for this gift! Had long wanted to do something similar but I’m not a developer.
Installation is quick and easy. Only comment I’ve had some minor problems and did not display correctly graphs/applets. Errors:
– Undefined index: formAuto in / var / www / html / dashboard / index.php on line 4
– arsort () Expects parameter 1 to Be array, null Given in / var/www/html/dashboard/content/top10locations.php
– Division by zero in / var / www / html / dashboard / content / timeline.php on line 33
I solved these problems by upgrading the packages on my debian.
Thanks Xavier for the Dashboard, it will really help us a lot.
I’ve solved 😉
There should be a syntax error in one config file. Check out ossec.log first!
I’m clshack 😉
I’ve write simple tutorial for ossec:
But received some error: