dsvetlov/lightsiem dsvetlov/lightsiem

  • Stars
    star
    107
  • Rank 323,587 (Top 7 %)
  • Language
    Shell
  • Created over 9 years ago
  • Updated over 3 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
dsvetlov/lightsiem
github

dsvetlov

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Lightweight and sexy Security Information and Event Managment system for OSSEC, Snort and other IDS/IPS

LightSIEM

Lightweight and sexy Security Information and Event Managment system for OSSEC, Snort and other IDS/IPS ![Screenshot of LightSIEM] (https://github.com/dsvetlov/lightsiem/blob/master/screenshot.png) ![Screenshot of LightSIEM GeoIP map] (https://github.com/dsvetlov/lightsiem/blob/master/screenshot2.png)

Installation

LightSIEM now distributing as ansible playbook for RHEL/CentOS/Oracle Linix 7.x. Install EPEL repository

yum install http://fedora-mirror01.rbc.ru/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm -y

Install Ansible and additional packages

yum install ansible -y
yum install wget unzip -y

Download latest playbook code and unpack it

wget https://github.com/dsvetlov/lightsiem/archive/master.zip
unzip master.zip

Run playbook

ansible-playbook lightsiem-master/lightsiem-install.yml

On your OSSEC server enable ability to send alerts via syslog

/var/ossec/bin/ossec-control enable client-syslog

Then add in /var/ossec/etc/ossec.conf this lines to send ossec alerts via sysslog in logstash

<ossec_config>

...

   <syslog_output>
   <server>address of LightSIEM server</server>
   <port>9000</port>
   <format>default</format>
   </syslog_output>
...
</ossec_config>

Forward snort log to LightSIEM via IETF-syslog format (RFC 5424). Example configuration for rsyslogd.

if $programname == 'snort' then {
   *.* @( o )<address of LightSIEM server>:9010;RSYSLOG_SyslogProtocol23Format
   &stop
}

Now point your web-browser to port 5601 of your LightSIEM server. Default login and password is kibanaro/2FgeR37e1.