Part 2.e: Distributing OSSIM sensor boxes
< Part 1: Raise your awareness
< Part 2: The Console
< Part 2.a: Configure AlienVault’s OSSIM as your primary security console
< Part 2.b: Adding assets to OSSIM
< Part 2.c: Configuring OSSIM plugins
< Part 2.d: Scheduling asset inventory and configuring software inventory
Distributing sensors to other systems:
As you may have already gathered, it’s quite easy to have sensors that are on other systems be managed, and/or output watched by the local ossim-agent.
1) If you want ossim-agent to manage remote processes, you will have to script start/stop/restart scripts that will utilize some remote execution method (such as ssh). I do not know how the ossim-agent watchdog tests to see if a process is running (then starts it if it isn’t), so this may make this process state monitoring a challenge.
2) If you want ossim-agent to simply watch a log file, obviously use something that pipes the syslogs back to machine. This can be a robust process, so I will cover it later; but I have already mentioned the use of nxlog and rsyslog a bit in previous articles.
However, this might not be the best way to handle the situation and you may want to opt to implement a family of OSSIM sensor boxes.
Configuring an OSSIM sensor box:
I will have to get back to this later. Apologies.