Admin: Created page with "Category:Wiki '''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]''''' == OSSIM Configuration == === Configuration Files === OSSIM uses several key configuration files that define how it collects, analyzes, and stores security information. These files are typically located in `/etc/ossim/`. Key configuration files include: * /etc/ossim/ossim_setup.conf: This is the main configuration file for OSSIM setup. It contains paths, database creden..."

2026-01-17T09:40:44Z

Created page with "Category:Wiki '''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]''''' == OSSIM Configuration == === Configuration Files === OSSIM uses several key configuration files that define how it collects, analyzes, and stores security information. These files are typically located in `/etc/ossim/`. Key configuration files include: * **/etc/ossim/ossim_setup.conf**: This is the main configuration file for OSSIM setup. It contains paths, database creden..."

New page

[[Category:Wiki]]

'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''

== OSSIM Configuration ==

=== Configuration Files ===
OSSIM uses several key configuration files that define how it collects, analyzes, and stores security information. These files are typically located in `/etc/ossim/`.

Key configuration files include:
* **/etc/ossim/ossim_setup.conf**: This is the main configuration file for OSSIM setup. It contains paths, database credentials, and other environment-specific settings.
* **/etc/ossim/ossim_agent.conf**: Configuration for the agent that collects data from remote systems.
* **/etc/ossim/ossim_server.conf**: Configuration for the OSSIM server, where most of the analysis and correlation takes place.

Example of basic settings in `/etc/ossim/ossim_setup.conf`:
<nowiki>
# Database settings
db_host=localhost
db_name=ossim
db_user=ossim_user
db_password=secretpassword

# Timezone configuration
timezone=UTC</nowiki>

=== Configuring OSSIM Server ===
OSSIM server configuration determines how logs are processed, stored, and how different components interact.

Example of configuring the OSSIM server to collect logs from different network segments:
<nowiki>
# In the server.conf file
log_collector.enable=true
log_collector.port=514
log_collector.protocol=UDP</nowiki>

This enables the log collector on port 514 and uses UDP for log transport.

== OSSIM Components ==

=== Sensor and Agent Deployment ===
OSSIM relies on sensors and agents to collect logs and security data. Agents can be deployed on various endpoints, while sensors gather and process network data.

#### Configuring the OSSIM Agent:
The agent configuration file is `/etc/ossim/ossim_agent.conf`.

Example:
<nowiki>
# Enabling the agent
agent_enabled=true
agent_name=example_agent
sensor_ip=192.168.1.100</nowiki>

This configuration connects the agent to a specific sensor for data collection.

=== Data Collection and Log Parsing ===
OSSIM uses various parsers for different types of logs:
* Syslog
* Snort IDS logs
* Firewall logs
* Application logs

The OSSIM server processes these logs, correlates them, and provides alerts based on predefined policies.

Example of parsing syslog messages:
<nowiki>
syslog_parser.enabled=true
syslog_parser.source=udp://0.0.0.0:514</nowiki>

This enables the system to collect logs via syslog from any source on the network.

== Security Concepts ==

=== Role-Based Access Control (RBAC) ===
OSSIM supports role-based access control (RBAC), allowing administrators to define roles and restrict user access to specific data and functionality.

Example of configuring roles in OSSIM:
<nowiki>
# In the user management section
role=admin
permissions=all</nowiki>

This gives the `admin` role full access to all features in OSSIM.

=== Securing Database Connections ===
All interactions with the OSSIM database must be secured to prevent unauthorized access. OSSIM uses MySQL, and connections should be encrypted using SSL/TLS.

Configuration for SSL/TLS in `/etc/ossim/ossim_setup.conf`:
<nowiki>
db_ssl_enabled=true
db_ssl_cert_file=/etc/ssl/certs/ossim_server.crt
db_ssl_key_file=/etc/ssl/private/ossim_server.key</nowiki>

This ensures that the connection to the OSSIM database is encrypted.

=== Logging and Monitoring OSSIM Activity ===
OSSIM provides a robust logging system to track its own activities. Logs should be regularly reviewed to ensure the system is operating securely.

Logs are stored in `/var/log/ossim/`. Regularly check logs like `ossim-server.log` and `ossim-agent.log`.

Example of monitoring logs:
<nowiki>
tail -f /var/log/ossim/ossim-server.log</nowiki>

This command allows real-time monitoring of the OSSIM server log.

== Network Security Monitoring ==

=== Configuring Network Sensors ===
OSSIM includes network sensors for collecting network traffic data. These sensors can be placed at strategic points in the network to monitor traffic.

Example of configuring a network sensor:
<nowiki>
sensor.enabled=true
sensor.ip=192.168.1.101
sensor.interface=eth0</nowiki>

This sets up a network sensor on `eth0` of the host with IP `192.168.1.101`.

=== Integrating Snort IDS ===
Snort is often used in OSSIM as an Intrusion Detection System (IDS) to detect malicious network traffic.

To integrate Snort with OSSIM, ensure that Snort logs are forwarded to the OSSIM server.

Example Snort configuration for OSSIM:
<nowiki>
output alert_syslog: localhost,514</nowiki>

This sends Snort alerts to the OSSIM server on port 514.

== Troubleshooting ==

=== Troubleshooting OSSIM Server Connectivity ===
If the OSSIM server is not collecting or correlating data as expected, verify the following:
* The agent or sensor is configured correctly and reachable.
* The server has sufficient system resources (e.g., CPU, RAM).
* The firewall is not blocking necessary ports (e.g., UDP 514, port for database access).

Check for server status with:
<nowiki>
systemctl status ossim-server</nowiki>

This shows whether the server is running correctly.

=== Agent Not Sending Data ===
If an agent is not sending data to the OSSIM server, verify:
* The agent is properly configured to point to the correct sensor.
* The network connection is stable.
* The agent has sufficient permissions to send logs.

Check agent status:
<nowiki>
systemctl status ossim-agent</nowiki>

### Common Errors:
* Incorrect sensor IP address or port.
* Network issues or firewall blocking communication.

=== High CPU Usage or Slow Performance ===
High CPU usage can be caused by excessive log traffic, unoptimized configurations, or hardware limitations.

To monitor system performance:
<nowiki>
top</nowiki>

Identify processes consuming high CPU and analyze log data volume.

== Useful Links ==

* https://www.alienvault.com/products/ossim
* https://github.com/AlienVault-OSS/ossim
* https://www.cyberciti.biz/tips/how-to-check-ossim-server-status.html
* https://www.alienvault.com/blog/ossim-installation-guide
* https://www.youtube.com/channel/UCwDeTo54A5l1HFhdZCjPglw

----

'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''

OSSIM - Base Documentation - Revision history