15th August 2014

Open Source Network Security Tools Part 1: Event Log Management

Open Source Network Security Tools Part 1: Event Log Management

Good quality network security tools aren’t cheap and more often than not multiple tools are required in order to meet the various and often strict requirements of a watertight security policy. So, for those IT Departments running on a tight budget, are open source security tools a viable option?

There are numerous open source tools available online which can help you secure your network in different ways (see this article for the ‘essential top 10 open source security tools’: http://hackertarget.com/10-open-source-security-tools/), however exploring and deploying open source solutions can be a leap into the unknown even for experienced IT professionals.  Many open source tools are built upon Linux platforms and are deployed and configured via a terminal which can be off-putting at first for those who enjoy the next-next-finish ‘wizard’ approach of the Microsoft world. Yet, for me, there’s something about ditching the mouse and entering commands into a Linux terminal emulator with just the keyboard that appeals to my inner-geek and makes me feel like I am doing something far cooler and much more important than I actually am! So with this in mind I began to explore and evaluate open source tools on Linux in order to meet a requirement that arose for automated event log management.   

Combing through Windows server logs manually as part of a daily checking routine is a task barely worth contemplating due to the amount of time it takes to sift through endless log entries across multiple servers. Add into the mix that  that the checking is performed by a human, which generally means that the process is prone to error, and log entries worthy of note can be easily overlooked.

It is also worth mentioning that if your organisation must comply with strict network security legislation (PCI-DSS Compliance for example), then a manual daily log-checking procedure just won’t cut it if your security processes were to be reviewed by a Qualified Security Assessor.  Although I often find that I get different answers depending on which QSA I contact when it comes to PCI Compliance questions, regardless of whether you need to be compliant or not, security logs really should be queried, stored and reported on by a centralised management interface.

Over a period of a month I trialled numerous solutions (Alien Vault OSSIM (the free one, not SIEM), Security Onion, OSSEC HIDS and Splunk (free trial)) but in the end I settled on OSSEC HIDS (http://www.ossec.net/) as the solution I wanted to run with in a production environment.

I downloaded the Ubuntu Server 14.04.1 .iso (http://www.ubuntu.com/download/server) and spun up a virtual machine on my Hyper-V environment (I had previously used 14.04 but found issues with the Ubuntu Desktop – particularly with the terminal Emulator crashing every few minute which was a real problem).  Once Ubuntu was installed, I ran a sudo apt- get update from the terminal to bring the OS up to date and then installed the Xubuntu desktop:  sudo apt-get install xubuntu-desktop

I then downloaded and installed Veeam Zip (also free: http://go.veeam.com/free-vm-backup-beta) onto my Windows laptop and connected in my Hyper-V host. I then took a backup of my newly created Ubuntu server just in case my Ubuntu install became unstable – this has happened to me quite a few times before when tinkering with Linux and open source!! – and I wanted to avoid having to rebuild the server from scratch.

When it came to installing OSSEC I found this extremely useful tutorial on Youtube (https://www.youtube.com/watch?v=7P5LyU69ceM) which showed me most of what I needed to know to get OSSEC running.  What the video didn’t tell me is that I had to make the following changes to get my install working, and you may have to do the same:

Install Apache 2 Utils:
Sudo apt-get install apache2-utils

Edit the apache2.conf
Sudo nano /etc/apache2/sites-enabled/000-default.conf

And edit the DocumentRoot value to /var/www

Once I’d made these changes my OSSEC server was up and running.  After that, it was simply a case of running sudo /var/ossec/bin/manage_agents  to add agents to my OSSEC installation and downloading (http://www.ossec.net/?page_id=19) and installing the windows agent on to  the servers I wanted OSSEC to monitor.  This tutorial is a handy guide to installing and configuring the windows agents: http://tech.sfsu.edu/guides/ossec-implementation#windows_agent


I have been running OSSEC for over a week now and have used its search function each morning to search security logs for failed log on  attempts and anything else that I thought appropriate from 5pm the previous day.  I have also enabled SMTP alerts so that I receive emails for any security alerts with an OSSEC-rated severity of over ‘8’.  This means that I receive alerts pretty much only for multiple audit or logon failures (the important ones) and not every single security event.

OSSEC is successfully monitoring the servers I need it to, and is also delivering the functionality that I require. Is it PCI compliant?  Well I won’t really know until I next speak to a QSA, but it’s far superior to any manual daily check and I also no longer have to log into my network over a weekend to monitor logs because the SMTP alert function keeps me abreast of what is going on. Another unexpected benefit that has transpired is that I can now pre-empt calls from users who have locked out their accounts or are having trouble logging in, as I am alerted before they have had a chance to pick up the phone, and Active Directory administration has been performed before they have even reported the issue!

In answer to my question “are open source security tools a viable option?” well, for me, and as far as OSSEC is concerned, it’s a resounding yes!

This website uses cookies to provide the best possible experience. By continuing to use our website you are agreeing to our use of cookies.