In the previous part of this series, we explored how to analyze and visualize OSSEC alerts in Kibana. To become more proactive in implementing HIDS, you need some way to be notified in real time when an event is taking place.
The ELK Stack, in it’s open source form, does not include an alerting mechanism. The options you have at your disposal are either paying for Watcher — an alerting plugin which is part of X-Pack by Elastic — or hacking your own alerting mechanism.
Logz.io includes a built-in and feature-rich alerting mechanism that allows you to create query-based alerts and get notified by email, Slack, PagerDuty, Datadog, HipChat or any messaging application that uses webhooks.
Creating a Logz.io Alert
As an example, let’s create an alert for OSSEC rules belonging to the Group 10 level.
This rule group includes bad passwords and multiple failed logins — which may indicate an attack or that a user just forgot his credentials (read about OSSEC rule levels here).
In Kibana, I first located a corresponding OSSEC alert with the following query:
Then, all we have to do is click the Create Alert button and define our new alert.
The Create Alert wizard allows you to configure the thresholds for triggering an alert and how you want to be notified (either by email to an existing endpoint).
To add your own endpoint using the built-in integrations, check out the following posts:
Once finished, the Logz.io alerting engine will ping the system according to the mechanism you defined, and should the conditions be met — notify you via the chosen channel.
Security strategies such as HIDS, SIEM, and PCI-DSS depend on a number of crucial elements including centralized logging, visualization, and alerting. The combination of Wazuh’s OSSEC and the ELK Stack supports almost all of these components out of the box:
- Wazuh OSSEC HIDS — for actions including rule-based log analysis (decoding), file integrity checking, and monitoring. Alerts are triggered and written in JSON and stored locally by the OSSEC manager.
- Elasticsearch — for indexing and storing the OSSEC alerts. It can be deployed as a cluster for better performance and data replication.
- Logstash — for processing the JSON files and adding IP geolocation information before sending to Elasticsearch for indexing.
- Kibana — for visualizing and analyzing the alerts.
As explained at the beginning of this part of the series, alerting — not to be confused with OSSEC alerts, which can also be called OSSEC logs — is a feature that does not exist out of the box and is necessary for taking this integration to the next level.