Friday , June 22 2018
Home / Information Security / Installing and Configuring AlienVault OSSIM OpenSource SIEM
AV OSSIM

Installing and Configuring AlienVault OSSIM OpenSource SIEM

Print Friendly

In this tutorial, I’ll be installing and configuring AlienVault OSSIM OpenSource SIEM. Its current latest version is 4.14.0. I have downloaded its ISO image from alienvault official website, you may download AlienVault OSSIM from following given official link:

 

Installation of AlienVault OSSIM:

 

AlienVault OSSIM Download:   https://www.alienvault.com/open-threat-exchange/projects

Now, I’ll be demonstrating OSSIM installation step-by-step.

1- First of all, burn the downloaded ISO image to a CD/DVD. I’m going to install OSSIM on VMWare ESXi Virtual Machine, so I don’t need to burn image, as virtual machine can be installed from ISO image.

2- Boot with the ISO image or CD/DVD.

3- Start installation prcess, Select to install OSSIM Server not Sensor as shown below.

 

Installation-1

 

4- Select your desired Language to install OSSIM in, I’ll Select English.

 

Installation-2

5- Select Your country, if your country not listed in first shown list of countries:

i)  Select “others”

ii) Click “continue”

iii) Select your “Subcontinent”

iv) Click “Next”

v) Select your country from the shown list.

vi) Click “Next”

 

Installation-3

6- Select your Locale.

 

Installation-4

7- Select your keyboard you use with your PC/Server.

 

Installation-5
8- Now setup will load required components required for installation from provided CD/DVD or ISO Image (in case of Virtual Machine)

 

Installation-6
9- If you have more then one Network Interface Cards, as recommended, you’ll be asked to select Primary interface to be used for Management. Others will be configured in later configuration.

 

Installation-7-NetworkInterfaces
10- Provide desired IP Address for OSSIM, its subnet Mask, Default Gateway and DNS Server IPs of your network as per requirement as shown below.

 

Installation--8-NetworkConfig
11- Enter Password for Root user, used for Terminal Access/Console.

 

Installation-9-RootPass
12- Now, Installation of OSSIM will begin and will take quiet long time to complete depending upon configuration of the Server.

 

Installation-10-Started
13- When installation is completed, OSSIM will reboot automatically and will show following screen showing the IP to access OSSIM Web Interface on.

 

Installation-11-Console

 

 

Configuration of OSSIM by Getting Started Wizard:

 

1- Now Access OSSIM in Web browser at IP shown on Console of OSSIM, in my case, it is https://192.168.1.5
2- Now Start the configuration Wizard by clicking on “Start” button.

 

Config-1-Start
3- In case of multiple network interfaces, OSSIM will ask to assign functionality to each interface except first one (which is by default assign to its Management)
If we select any interface as “Log Collection and Scanning”, OSSIM will ask for IP Address and Subnet to assign to this interface for capturing Logs and Scanning Perimeter.

 

Config-2-NetworkAssign

Config-3-NetworkConfigOK

 

4-     On the next screen of “Asset Discovery”, OSSIM will automatically Scan for available hosts on the network. We can manually Re-Scan or Add Host one-by-one or using CSV file.

 

Config-4-Assets
5- On next screen, OSSIM will ask if we want to install Host Based IDS on Scanned Host, (It will only show windows/linux hosts that we selected at “Asset Discovery” screen.
It will ask for Privileged User/Password for HIDS deployment, Click “Deploy” when ready to deploy HIDS on agent Machines.

 

Config-5-HIDS
6-     Those devices that were selected as “Network Device” on “Asset Discovery” Screen, OSSIM will ask for option to capture their logs so we need here to select their Logs vendor/Model and Version. This will enable for these hosts only if we click on “Enable” button after providing required options.

 

Config-6-NetworkSyslogs
7- On next screen, OSISM will ask for OTX (Open Threat Exchange) registration Token. Registration is free, and it is required for automatically updating latest Threat Signatures.

 

Config-7-OTX
8- Click Finish or “Skip” to bypass this step and Finish This Configuration wizard.

AlienVault OSSIM OpenSource SIEM has now been installed and Configured. Now we may browse through OSSIM Dashboard as shown in below figure or we may continue its further configuration. Let’s click finish and browse through OSSIM Dashboard.

OSSIM_Dashboard

What’s Next:

– Configuring OSSEC Clients to monitor with AlienVault OSSIM

– Configuring Nagios Plugins on Windows/Linux hosts to monitor with AlienVault OSSIM

– Configuring Snare Agents on Windows & Linux hosts to monitor them with AlienVault OSSIM

 

 

About Muhammad Attique

  • hamza

    Thank you :)

  • hamza

    please do you have information about configuration of snort on ossim can you share it with me? or with suricata

  • Ronald Hill

    do you have a snort configuration