OSSEC+ config
unless specified, all edits in file etc/ossec.conf
Change rules section to this:
<![CDATA[
<rules>
<decoder_dir pattern=".xml$">etc/decoders.d</decoder_dir>
<rule_dir pattern=".xml$">etc/rules.d</rule_dir>
<list>etc/lists/threat</list>
</rules>
]]>
Add this in the <global> block when using kofe:
<![CDATA[
<jsonout_output>yes</jsonout_output>
]]>
Add this in the <global> block for email notification:
<![CDATA[
<email_notification>yes</email_notification>
<email_to>receiver@mydomain.here</email_to>
<smtp_server>smtp.mydomain.here</smtp_server>
<email_from>ossec@mydomain.here</email_from>
]]>
Add this block for daily reports by email:
<![CDATA[
<reports>
<category>authentication_success</category>
<user type="relation">srcip</user>
<title>Daily report: Successful logins</title>
<email_to>ossec.report@mydomain.here</email_to>
</reports>
<reports>
<category>syscheck</category>
<title>Daily report: File changes</title>
<email_to>ossec.report@mydomain.here</email_to>
</reports>
]]>
Receive syslog in OSSEC+ :
<![CDATA[
<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>tcp</protocol>
<allowed-ips>192.168.1.0/24</allowed-ips>
<local_ip>0.0.0.0</local_ip>
</remote>
]]>
Notification in slack:
edit the active-response/bin/ossec-slack.sh script to match your slack channel and add:
<![CDATA[
<command>
<name>slack-notify</name>
<executable>ossec-slack.sh</executable>
<expect>user</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<active-response>
<command>slack-notify</command>
<location>local</location>
<level>1</level>
<timeout>600</timeout>
</active-response>
]]>
