Posted by:
admin
11 years, 9 months ago
Big data is all the hype right now, but what most companies need is not big data but easy data. The truth is that most average-sized organizations do not even monitor the logs that the collect. That's changing as log management and monitoring are required as part of PCI compliance. Enterprises need log management tools.
In this spirit, we have released a WiKID plugin for OSSIM, Alienvault's opensource SIEM. It is very simple for now with only a few rules, but it will be easy to add more if there is interest.
The plugin consists of two files: http://www.wikidsystems.com/webdemo/WiKID.cfg and http://www.wikidsystems.com/webdemo/WiKID.sql .
Copy the first file to /etc/ossim/agent/plugins and the second to /usr/share/doc/ossim-mysql/contrib/plugins/WiKID.sql. Restart the ossim server and you should be good to go.
On the WiKID server, configure the logs to use syslog. You will need to edit the file /etc/WiKID/log4j.properties so it looks like this:
# Logging detail level,
# Must be one of ("trace", "debug", "info", "warn", "error", or "fatal").
#log4j.rootLogger=DEBUG, socketLogger
# comment the line above and uncomment the line below to use syslog
log4j.rootLogger=DEBUG, socketLogger, Syslog, A1
# comment out the rootLogger above and uncomment the line below to output logs to the console
#log4j.rootLogger=DEBUG, socketLogger, A1
log4j.appender.socketLogger=org.apache.log4j.net.SocketAppender
log4j.appender.socketLogger.RemoteHost=localhost
log4j.appender.socketLogger.Port=8300
log4j.appender.socketLogger.LocationInfo=true
# Uncomment the lines below if using syslog
log4j.appender.Syslog=org.apache.log4j.net.SyslogAppender
log4j.appender.Syslog.layout=org.apache.log4j.PatternLayout
log4j.appender.Syslog.layout.ConversionPattern=%-5p %c{2} [%t,%M:%L] %m%n
log4j.appender.Syslog.SyslogHost=
log4j.appender.Syslog.Facility=WiKID
log4j.appender.Syslog.FacilityPrinting=true
# A1 is set to be a ConsoleAppender.
log4j.appender.A1=org.apache.log4j.ConsoleAppender
# A1 uses PatternLayout.
log4j.appender.A1.layout=org.apache.log4j.PatternLayout
log4j.appender.A1.layout.ConversionPattern=%-4r [%t] %-5p %c %x - %m%n
Changing log4j.appender.Syslog.SyslogHost to your OSSIM server IP.
That's it. You can test it by logging in via radius and by using a bad password. WiKID has always recognized that two-factor authentication is just part of a balanced, deep security program. In order to work well, these pieces need to communicate.
If you would like to see other rules, please let us know!
Share on Twitter Share on FacebookRecent Posts
- Blast-RADIUS attack
- The latest WiKID version includes an SBOM
- WiKID 6 is released!
- Log4j CVE-2021-44228
- Questions about 2FA for AD admins
Archive
2024
2022
- December (1)
2021
2019
2018
2017
2016
2015
2014
- December (2)
- November (3)
- October (3)
- September (5)
- August (4)
- July (5)
- June (5)
- May (2)
- April (2)
- March (2)
- February (3)
- January (1)
2013
2012
- December (1)
- November (1)
- October (5)
- September (1)
- August (1)
- June (2)
- May (2)
- April (1)
- March (2)
- February (3)
- January (1)
2011
2010
- December (2)
- November (3)
- October (3)
- September (4)
- August (1)
- July (1)
- June (3)
- May (3)
- April (1)
- March (1)
- February (6)
- January (3)
2009
- December (4)
- November (1)
- October (3)
- September (3)
- August (2)
- July (5)
- June (6)
- May (8)
- April (7)
- March (6)
- February (4)
- January (427)
2008
- December (1)
Categories
- PCI-DSS (2)
- Two-factor authentication (3)
Tags
- wireless-cellular-mobile-devices (7)
- Two-factor authentication (10)
- Wireless, cellular, mobile devices (6)
- NPS (1)
- Phishing and Fraud (111)
- Active Directory (1)
- pam-radius (3)
- privileged access (2)
- Cloud Security (10)
- Mutual Authentication (60)
- Web Application Authentication (1)
- Authentication Attacks (99)
- pci (50)
- Security and Economics (97)
- WiKID (133)
- pam (2)
- VPN (1)
- Installation (2)
- RADIUS Server (1)
- Open Source (64)
- Tutorial (2)
- Strong Authentication (35)
- Information Security (137)
- Transaction Authentication (13)
- Miscellaneous (100)
- Linux (2)
- transaction-authentication (6)
- Two Factor Authentication (254)