Versión en español



When the vyatta plugin is upgraded or registered on the OSSIM agent we can check its operation and see that OSSIM server is receiving all events reflected on plugin correctly.


Following steps below we can cause a sample log file to be logged on our vyatta system and then sent to OSSIM agent wich has to analyze and normalize them.

  1. On OSSIM go to Analysis -> SIEM -> Real Time to see events arriving to OSSIM server in real time:




  2. On your Vyatta box download form openredes sample log files. Up to date existing sample log files are:

      sample_firewall (2,8 KiB, 360 hits)


      sample_ospf (1,2 KiB, 233 hits)


      sample_ovpn (3,6 KiB, 221 hits)


      sample_pamunix (970 bytes, 217 hits)


      sample_pmacctd (85 bytes, 194 hits)


      sample_vyatta (127 bytes, 232 hits)


      sample_wlb (171 bytes, 213 hits)


      sample_zebra (661 bytes, 207 hits)



    For example:

    vyatta:~# cd /tmp
vyatta:/tmp# wget http://www.openredes.com/wp-content/files/sample_ospf


  3. Trigger sample log file to syslog with logger command:

    vyatta:/tmp# logger -t ospfd[12122] -f sample_ospf


  4. Try to see real time window on OSSIM at the same time that we execute command above and you could see simulated logs arriving to OSSIM server:


If you open sample_ospf file and check its content with event normalization process conducted by vyatta plugin you can see that from all contained events only are sent to OSSIM server events related to changes on neighbor state machine (events started with nsm_change_state), three of them, and events related to adjacencies changes (started with AdjChg), eight events, the rest are discarded.


Check that above comment is reflected as this way on real time window on OSSIM.


Note:

Sample log files posted above are modified because logger command add date and service to each log line, then I had to remove that part of each line from sample logs for not to have duplicated information and finally get logs generated exactly as vyatta system do and OSSIM agent expect to have.


Then to trigger logger command is needed to do with next options:


-t ospfd[12122] -> the way to tag each log line with the corresponding service and PID.


-f sample_ospf -> the sample log file to use.


To use other service the best way is to have a look to vyatta.cfg file to can simulate vyatta logs exactly.


For example, to simulate “openvpn” events you have to use something like “-t openvpn[1003]” and “-f sample_ovpn”; to simulate “firewall” events use something like “-t kernel” and “-f sample_firewall”…

References:


Vyatta Plugin for OSSIM agent by openredes.

Vyatta plugin for OSSIM agent by openredes installation guide.

Vyatta plugin for OSSIM agent by openredes upgrade guide.