For some time now I’ve been testing OSSEC on my own infrastucture, so far it’s one of the best IDS software I’ve implemented. Unfortunately the only method of alerting it has is via mail, being an hardcore Nagios fanatic I’ve been searching for a way to integrate OSSEC alerts on it.
None of the solutions I’ve encountered on the web sufficed, so nothing better than creating my own and sharing it with you.
Well, with little personal time to spare I decided that It would be something quick and dirty, so nothing like a log parser to get the job done.
The idea is pretty simple, ossec-server has an alert.log file that gathers all the events of its agents, each event has an alert level associated with it and the log file is rotated each day.
In my case I just needed to search the log for an alert level equal or higher than 7 (ex: ‘ integrity checksum changed’, ‘user missed the password more than one time’, etc…) and pass the information to nagios-server in a formatted string like HOST ALERT_LEVEL CAUSE.
Using NRPE daemon to call the script and ensuring that the message reaches nagios-server, all pieces were in place and my problem solved, here’s how it looks on Nagios: