Writing Custom Rules for OSSEC: OpenVPN Edition

2 minute read Published:

I wrote some custom rules for OpenVPN on OSSEC yesterday; the full step-by-step with instructions for beginners is included in the latest revision of The Seven Minute Server. But I figure if you’re here, you were searching for this specifically, so here’s the basics: Basic decoder in /var/ossec/etc/local_decoder.xml: <decoder name="openvpn"> <prematch>^\w\w\w\s\w\w\w\s+\d+\s\d\d(:)\d\d(:)\d\d\s\d\d\d\d</prematch> </decoder> I’ll be honest, I’m not a total fan of this approach, but the error logs aren’t formatted consistently, and the only static portion is the date; on the Amazon Linux AMI, it’s the only program that logs in this format (dracut is close, but adds timezone before the year).

Writing Custom OSSEC Rules

8 minute read Published:

Our team recently implemented a proprietary security component for a web app we maintain. When it performs an action of note, the component writes the action to a log. As a system admin and tester babysitting a new component, I want to know about these actions when they happen, and this sounded like a perfect use case for OSSEC, an Open Source host-based intrusion detection system. OSSEC monitors system logs, checks for rootkits and system configuration changes, and does a pretty good job of letting us know what’s happening on our systems.